]> git.proxmox.com Git - qemu-server.git/blob - PVE/API2/Qemu.pm
projects / qemu-server.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
add memory parser
[qemu-server.git] / PVE / API2 / Qemu.pm
1 package PVE::API2::Qemu;
2
3 use strict;
4 use warnings;
5 use Cwd 'abs_path';
6 use Net::SSLeay;
7 use IO::Socket::IP;
8 use IO::Socket::UNIX;
9 use IPC::Open3;
10 use JSON;
11 use URI::Escape;
12 use Crypt::OpenSSL::Random;
13 use Socket qw(SOCK_STREAM);
14
15 use PVE::APIClient::LWP;
16 use PVE::CGroup;
17 use PVE::Cluster qw (cfs_read_file cfs_write_file);;
18 use PVE::RRD;
19 use PVE::SafeSyslog;
20 use PVE::Tools qw(extract_param);
21 use PVE::Exception qw(raise raise_param_exc raise_perm_exc);
22 use PVE::Storage;
23 use PVE::JSONSchema qw(get_standard_option);
24 use PVE::RESTHandler;
25 use PVE::ReplicationConfig;
26 use PVE::GuestHelpers qw(assert_tag_permissions);
27 use PVE::QemuConfig;
28 use PVE::QemuServer;
29 use PVE::QemuServer::Cloudinit;
30 use PVE::QemuServer::CPUConfig;
31 use PVE::QemuServer::Drive;
32 use PVE::QemuServer::ImportDisk;
33 use PVE::QemuServer::Monitor qw(mon_cmd);
34 use PVE::QemuServer::Machine;
35 use PVE::QemuServer::Memory qw(get_current_memory);
36 use PVE::QemuServer::PCI;
37 use PVE::QemuServer::USB;
38 use PVE::QemuMigrate;
39 use PVE::RPCEnvironment;
40 use PVE::AccessControl;
41 use PVE::INotify;
42 use PVE::Network;
43 use PVE::Firewall;
44 use PVE::API2::Firewall::VM;
45 use PVE::API2::Qemu::Agent;
46 use PVE::VZDump::Plugin;
47 use PVE::DataCenterConfig;
48 use PVE::SSHInfo;
49 use PVE::Replication;
50 use PVE::StorageTunnel;
51
52 BEGIN {
53 if (!$ENV{PVE_GENERATING_DOCS}) {
54 require PVE::HA::Env::PVE2;
55 import PVE::HA::Env::PVE2;
56 require PVE::HA::Config;
57 import PVE::HA::Config;
58 }
59 }
60
61 use base qw(PVE::RESTHandler);
62
63 my $opt_force_description = "Force physical removal. Without this, we simple remove the disk from the config file and create an additional configuration entry called 'unused[n]', which contains the volume ID. Unlink of unused[n] always cause physical removal.";
64
65 my $resolve_cdrom_alias = sub {
66 my $param = shift;
67
68 if (my $value = $param->{cdrom}) {
69 $value .= ",media=cdrom" if $value !~ m/media=/;
70 $param->{ide2} = $value;
71 delete $param->{cdrom};
72 }
73 };
74
75 # Used in import-enabled API endpoints. Parses drives using the extended '_with_alloc' schema.
76 my $foreach_volume_with_alloc = sub {
77 my ($param, $func) = @_;
78
79 for my $opt (sort keys $param->%*) {
80 next if !PVE::QemuServer::is_valid_drivename($opt);
81
82 my $drive = PVE::QemuServer::Drive::parse_drive($opt, $param->{$opt}, 1);
83 next if !$drive;
84
85 $func->($opt, $drive);
86 }
87 };
88
89 my $NEW_DISK_RE = qr!^(([^/:\s]+):)?(\d+(\.\d+)?)$!;
90
91 my $check_drive_param = sub {
92 my ($param, $storecfg, $extra_checks) = @_;
93
94 for my $opt (sort keys $param->%*) {
95 next if !PVE::QemuServer::is_valid_drivename($opt);
96
97 my $drive = PVE::QemuServer::parse_drive($opt, $param->{$opt}, 1);
98 raise_param_exc({ $opt => "unable to parse drive options" }) if !$drive;
99
100 if ($drive->{'import-from'}) {
101 if ($drive->{file} !~ $NEW_DISK_RE || $3 != 0) {
102 raise_param_exc({
103 $opt => "'import-from' requires special syntax - ".
104 "use <storage ID>:0,import-from=<source>",
105 });
106 }
107
108 if ($opt eq 'efidisk0') {
109 for my $required (qw(efitype pre-enrolled-keys)) {
110 if (!defined($drive->{$required})) {
111 raise_param_exc({
112 $opt => "need to specify '$required' when using 'import-from'",
113 });
114 }
115 }
116 } elsif ($opt eq 'tpmstate0') {
117 raise_param_exc({ $opt => "need to specify 'version' when using 'import-from'" })
118 if !defined($drive->{version});
119 }
120 }
121
122 PVE::QemuServer::cleanup_drive_path($opt, $storecfg, $drive);
123
124 $extra_checks->($drive) if $extra_checks;
125
126 $param->{$opt} = PVE::QemuServer::print_drive($drive, 1);
127 }
128 };
129
130 my $check_storage_access = sub {
131 my ($rpcenv, $authuser, $storecfg, $vmid, $settings, $default_storage) = @_;
132
133 $foreach_volume_with_alloc->($settings, sub {
134 my ($ds, $drive) = @_;
135
136 my $isCDROM = PVE::QemuServer::drive_is_cdrom($drive);
137
138 my $volid = $drive->{file};
139 my ($storeid, $volname) = PVE::Storage::parse_volume_id($volid, 1);
140
141 if (!$volid || ($volid eq 'none' || $volid eq 'cloudinit' || (defined($volname) && $volname eq 'cloudinit'))) {
142 # nothing to check
143 } elsif ($isCDROM && ($volid eq 'cdrom')) {
144 $rpcenv->check($authuser, "/", ['Sys.Console']);
145 } elsif (!$isCDROM && ($volid =~ $NEW_DISK_RE)) {
146 my ($storeid, $size) = ($2 || $default_storage, $3);
147 die "no storage ID specified (and no default storage)\n" if !$storeid;
148 $rpcenv->check($authuser, "/storage/$storeid", ['Datastore.AllocateSpace']);
149 my $scfg = PVE::Storage::storage_config($storecfg, $storeid);
150 raise_param_exc({ storage => "storage '$storeid' does not support vm images"})
151 if !$scfg->{content}->{images};
152 } else {
153 PVE::Storage::check_volume_access($rpcenv, $authuser, $storecfg, $vmid, $volid);
154 if ($storeid) {
155 my ($vtype) = PVE::Storage::parse_volname($storecfg, $volid);
156 raise_param_exc({ $ds => "content type needs to be 'images' or 'iso'" })
157 if $vtype ne 'images' && $vtype ne 'iso';
158 }
159 }
160
161 if (my $src_image = $drive->{'import-from'}) {
162 my $src_vmid;
163 if (PVE::Storage::parse_volume_id($src_image, 1)) { # PVE-managed volume
164 (my $vtype, undef, $src_vmid) = PVE::Storage::parse_volname($storecfg, $src_image);
165 raise_param_exc({ $ds => "$src_image has wrong type '$vtype' - not an image" })
166 if $vtype ne 'images';
167 }
168
169 if ($src_vmid) { # might be actively used by VM and will be copied via clone_disk()
170 $rpcenv->check($authuser, "/vms/${src_vmid}", ['VM.Clone']);
171 } else {
172 PVE::Storage::check_volume_access($rpcenv, $authuser, $storecfg, $vmid, $src_image);
173 }
174 }
175 });
176
177 $rpcenv->check($authuser, "/storage/$settings->{vmstatestorage}", ['Datastore.AllocateSpace'])
178 if defined($settings->{vmstatestorage});
179 };
180
181 my $check_storage_access_clone = sub {
182 my ($rpcenv, $authuser, $storecfg, $conf, $storage) = @_;
183
184 my $sharedvm = 1;
185
186 PVE::QemuConfig->foreach_volume($conf, sub {
187 my ($ds, $drive) = @_;
188
189 my $isCDROM = PVE::QemuServer::drive_is_cdrom($drive);
190
191 my $volid = $drive->{file};
192
193 return if !$volid || $volid eq 'none';
194
195 if ($isCDROM) {
196 if ($volid eq 'cdrom') {
197 $rpcenv->check($authuser, "/", ['Sys.Console']);
198 } else {
199 # we simply allow access
200 my ($sid, $volname) = PVE::Storage::parse_volume_id($volid);
201 my $scfg = PVE::Storage::storage_config($storecfg, $sid);
202 $sharedvm = 0 if !$scfg->{shared};
203
204 }
205 } else {
206 my ($sid, $volname) = PVE::Storage::parse_volume_id($volid);
207 my $scfg = PVE::Storage::storage_config($storecfg, $sid);
208 $sharedvm = 0 if !$scfg->{shared};
209
210 $sid = $storage if $storage;
211 $rpcenv->check($authuser, "/storage/$sid", ['Datastore.AllocateSpace']);
212 }
213 });
214
215 $rpcenv->check($authuser, "/storage/$conf->{vmstatestorage}", ['Datastore.AllocateSpace'])
216 if defined($conf->{vmstatestorage});
217
218 return $sharedvm;
219 };
220
221 my $check_storage_access_migrate = sub {
222 my ($rpcenv, $authuser, $storecfg, $storage, $node) = @_;
223
224 PVE::Storage::storage_check_enabled($storecfg, $storage, $node);
225
226 $rpcenv->check($authuser, "/storage/$storage", ['Datastore.AllocateSpace']);
227
228 my $scfg = PVE::Storage::storage_config($storecfg, $storage);
229 die "storage '$storage' does not support vm images\n"
230 if !$scfg->{content}->{images};
231 };
232
233 my $import_from_volid = sub {
234 my ($storecfg, $src_volid, $dest_info, $vollist) = @_;
235
236 die "could not get size of $src_volid\n"
237 if !PVE::Storage::volume_size_info($storecfg, $src_volid, 10);
238
239 die "cannot import from cloudinit disk\n"
240 if PVE::QemuServer::Drive::drive_is_cloudinit({ file => $src_volid });
241
242 my $src_vmid = (PVE::Storage::parse_volname($storecfg, $src_volid))[2];
243
244 my $src_vm_state = sub {
245 my $exists = $src_vmid && PVE::Cluster::get_vmlist()->{ids}->{$src_vmid} ? 1 : 0;
246
247 my $runs = 0;
248 if ($exists) {
249 eval { PVE::QemuConfig::assert_config_exists_on_node($src_vmid); };
250 die "owner VM $src_vmid not on local node\n" if $@;
251 $runs = PVE::QemuServer::Helpers::vm_running_locally($src_vmid) || 0;
252 }
253
254 return ($exists, $runs);
255 };
256
257 my ($src_vm_exists, $running) = $src_vm_state->();
258
259 die "cannot import from '$src_volid' - full clone feature is not supported\n"
260 if !PVE::Storage::volume_has_feature($storecfg, 'copy', $src_volid, undef, $running);
261
262 my $clonefn = sub {
263 my ($src_vm_exists_now, $running_now) = $src_vm_state->();
264
265 die "owner VM $src_vmid changed state unexpectedly\n"
266 if $src_vm_exists_now != $src_vm_exists || $running_now != $running;
267
268 my $src_conf = $src_vm_exists_now ? PVE::QemuConfig->load_config($src_vmid) : {};
269
270 my $src_drive = { file => $src_volid };
271 my $src_drivename;
272 PVE::QemuConfig->foreach_volume($src_conf, sub {
273 my ($ds, $drive) = @_;
274
275 return if $src_drivename;
276
277 if ($drive->{file} eq $src_volid) {
278 $src_drive = $drive;
279 $src_drivename = $ds;
280 }
281 });
282
283 my $source_info = {
284 vmid => $src_vmid,
285 running => $running_now,
286 drivename => $src_drivename,
287 drive => $src_drive,
288 snapname => undef,
289 };
290
291 my ($src_storeid) = PVE::Storage::parse_volume_id($src_volid);
292
293 return PVE::QemuServer::clone_disk(
294 $storecfg,
295 $source_info,
296 $dest_info,
297 1,
298 $vollist,
299 undef,
300 undef,
301 $src_conf->{agent},
302 PVE::Storage::get_bandwidth_limit('clone', [$src_storeid, $dest_info->{storage}]),
303 );
304 };
305
306 my $cloned;
307 if ($running) {
308 $cloned = PVE::QemuConfig->lock_config_full($src_vmid, 30, $clonefn);
309 } elsif ($src_vmid) {
310 $cloned = PVE::QemuConfig->lock_config_shared($src_vmid, 30, $clonefn);
311 } else {
312 $cloned = $clonefn->();
313 }
314
315 return $cloned->@{qw(file size)};
316 };
317
318 # Note: $pool is only needed when creating a VM, because pool permissions
319 # are automatically inherited if VM already exists inside a pool.
320 my $create_disks = sub {
321 my ($rpcenv, $authuser, $conf, $arch, $storecfg, $vmid, $pool, $settings, $default_storage) = @_;
322
323 my $vollist = [];
324
325 my $res = {};
326
327 my $code = sub {
328 my ($ds, $disk) = @_;
329
330 my $volid = $disk->{file};
331 my ($storeid, $volname) = PVE::Storage::parse_volume_id($volid, 1);
332
333 if (!$volid || $volid eq 'none' || $volid eq 'cdrom') {
334 delete $disk->{size};
335 $res->{$ds} = PVE::QemuServer::print_drive($disk);
336 } elsif (defined($volname) && $volname eq 'cloudinit') {
337 $storeid = $storeid // $default_storage;
338 die "no storage ID specified (and no default storage)\n" if !$storeid;
339
340 if (
341 my $ci_key = PVE::QemuConfig->has_cloudinit($conf, $ds)
342 || PVE::QemuConfig->has_cloudinit($conf->{pending} || {}, $ds)
343 || PVE::QemuConfig->has_cloudinit($res, $ds)
344 ) {
345 die "$ds - cloud-init drive is already attached at '$ci_key'\n";
346 }
347
348 my $scfg = PVE::Storage::storage_config($storecfg, $storeid);
349 my $name = "vm-$vmid-cloudinit";
350
351 my $fmt = undef;
352 if ($scfg->{path}) {
353 $fmt = $disk->{format} // "qcow2";
354 $name .= ".$fmt";
355 } else {
356 $fmt = $disk->{format} // "raw";
357 }
358
359 # Initial disk created with 4 MB and aligned to 4MB on regeneration
360 my $ci_size = PVE::QemuServer::Cloudinit::CLOUDINIT_DISK_SIZE;
361 my $volid = PVE::Storage::vdisk_alloc($storecfg, $storeid, $vmid, $fmt, $name, $ci_size/1024);
362 $disk->{file} = $volid;
363 $disk->{media} = 'cdrom';
364 push @$vollist, $volid;
365 delete $disk->{format}; # no longer needed
366 $res->{$ds} = PVE::QemuServer::print_drive($disk);
367 print "$ds: successfully created disk '$res->{$ds}'\n";
368 } elsif ($volid =~ $NEW_DISK_RE) {
369 my ($storeid, $size) = ($2 || $default_storage, $3);
370 die "no storage ID specified (and no default storage)\n" if !$storeid;
371
372 if (my $source = delete $disk->{'import-from'}) {
373 my $dst_volid;
374
375 if (PVE::Storage::parse_volume_id($source, 1)) { # PVE-managed volume
376 my $dest_info = {
377 vmid => $vmid,
378 drivename => $ds,
379 storage => $storeid,
380 format => $disk->{format},
381 };
382
383 $dest_info->{efisize} = PVE::QemuServer::get_efivars_size($conf, $disk)
384 if $ds eq 'efidisk0';
385
386 ($dst_volid, $size) = eval {
387 $import_from_volid->($storecfg, $source, $dest_info, $vollist);
388 };
389 die "cannot import from '$source' - $@" if $@;
390 } else {
391 $source = PVE::Storage::abs_filesystem_path($storecfg, $source, 1);
392 $size = PVE::Storage::file_size_info($source);
393 die "could not get file size of $source\n" if !$size;
394
395 (undef, $dst_volid) = PVE::QemuServer::ImportDisk::do_import(
396 $source,
397 $vmid,
398 $storeid,
399 {
400 drive_name => $ds,
401 format => $disk->{format},
402 'skip-config-update' => 1,
403 },
404 );
405 push @$vollist, $dst_volid;
406 }
407
408 $disk->{file} = $dst_volid;
409 $disk->{size} = $size;
410 delete $disk->{format}; # no longer needed
411 $res->{$ds} = PVE::QemuServer::print_drive($disk);
412 } else {
413 my $defformat = PVE::Storage::storage_default_format($storecfg, $storeid);
414 my $fmt = $disk->{format} || $defformat;
415
416 $size = PVE::Tools::convert_size($size, 'gb' => 'kb'); # vdisk_alloc uses kb
417
418 my $volid;
419 if ($ds eq 'efidisk0') {
420 my $smm = PVE::QemuServer::Machine::machine_type_is_q35($conf);
421 ($volid, $size) = PVE::QemuServer::create_efidisk(
422 $storecfg, $storeid, $vmid, $fmt, $arch, $disk, $smm);
423 } elsif ($ds eq 'tpmstate0') {
424 # swtpm can only use raw volumes, and uses a fixed size
425 $size = PVE::Tools::convert_size(PVE::QemuServer::Drive::TPMSTATE_DISK_SIZE, 'b' => 'kb');
426 $volid = PVE::Storage::vdisk_alloc($storecfg, $storeid, $vmid, "raw", undef, $size);
427 } else {
428 $volid = PVE::Storage::vdisk_alloc($storecfg, $storeid, $vmid, $fmt, undef, $size);
429 }
430 push @$vollist, $volid;
431 $disk->{file} = $volid;
432 $disk->{size} = PVE::Tools::convert_size($size, 'kb' => 'b');
433 delete $disk->{format}; # no longer needed
434 $res->{$ds} = PVE::QemuServer::print_drive($disk);
435 }
436
437 print "$ds: successfully created disk '$res->{$ds}'\n";
438 } else {
439 PVE::Storage::check_volume_access($rpcenv, $authuser, $storecfg, $vmid, $volid);
440 if ($storeid) {
441 my ($vtype) = PVE::Storage::parse_volname($storecfg, $volid);
442 die "cannot use volume $volid - content type needs to be 'images' or 'iso'"
443 if $vtype ne 'images' && $vtype ne 'iso';
444
445 if (PVE::QemuServer::Drive::drive_is_cloudinit($disk)) {
446 if (
447 my $ci_key = PVE::QemuConfig->has_cloudinit($conf, $ds)
448 || PVE::QemuConfig->has_cloudinit($conf->{pending} || {}, $ds)
449 || PVE::QemuConfig->has_cloudinit($res, $ds)
450 ) {
451 die "$ds - cloud-init drive is already attached at '$ci_key'\n";
452 }
453 }
454 }
455
456 PVE::Storage::activate_volumes($storecfg, [ $volid ]) if $storeid;
457
458 my $size = PVE::Storage::volume_size_info($storecfg, $volid);
459 die "volume $volid does not exist\n" if !$size;
460 $disk->{size} = $size;
461
462 $res->{$ds} = PVE::QemuServer::print_drive($disk);
463 }
464 };
465
466 eval { $foreach_volume_with_alloc->($settings, $code); };
467
468 # free allocated images on error
469 if (my $err = $@) {
470 syslog('err', "VM $vmid creating disks failed");
471 foreach my $volid (@$vollist) {
472 eval { PVE::Storage::vdisk_free($storecfg, $volid); };
473 warn $@ if $@;
474 }
475 die $err;
476 }
477
478 return ($vollist, $res);
479 };
480
481 my $check_cpu_model_access = sub {
482 my ($rpcenv, $authuser, $new, $existing) = @_;
483
484 return if !defined($new->{cpu});
485
486 my $cpu = PVE::JSONSchema::check_format('pve-vm-cpu-conf', $new->{cpu});
487 return if !$cpu || !$cpu->{cputype}; # always allow default
488 my $cputype = $cpu->{cputype};
489
490 if ($existing && $existing->{cpu}) {
491 # changing only other settings doesn't require permissions for CPU model
492 my $existingCpu = PVE::JSONSchema::check_format('pve-vm-cpu-conf', $existing->{cpu});
493 return if $existingCpu->{cputype} eq $cputype;
494 }
495
496 if (PVE::QemuServer::CPUConfig::is_custom_model($cputype)) {
497 $rpcenv->check($authuser, "/nodes", ['Sys.Audit']);
498 }
499 };
500
501 my $cpuoptions = {
502 'cores' => 1,
503 'cpu' => 1,
504 'cpulimit' => 1,
505 'cpuunits' => 1,
506 'numa' => 1,
507 'smp' => 1,
508 'sockets' => 1,
509 'vcpus' => 1,
510 };
511
512 my $memoryoptions = {
513 'memory' => 1,
514 'balloon' => 1,
515 'shares' => 1,
516 };
517
518 my $hwtypeoptions = {
519 'acpi' => 1,
520 'hotplug' => 1,
521 'kvm' => 1,
522 'machine' => 1,
523 'scsihw' => 1,
524 'smbios1' => 1,
525 'tablet' => 1,
526 'vga' => 1,
527 'watchdog' => 1,
528 'audio0' => 1,
529 };
530
531 my $generaloptions = {
532 'agent' => 1,
533 'autostart' => 1,
534 'bios' => 1,
535 'description' => 1,
536 'keyboard' => 1,
537 'localtime' => 1,
538 'migrate_downtime' => 1,
539 'migrate_speed' => 1,
540 'name' => 1,
541 'onboot' => 1,
542 'ostype' => 1,
543 'protection' => 1,
544 'reboot' => 1,
545 'startdate' => 1,
546 'startup' => 1,
547 'tdf' => 1,
548 'template' => 1,
549 };
550
551 my $vmpoweroptions = {
552 'freeze' => 1,
553 };
554
555 my $diskoptions = {
556 'boot' => 1,
557 'bootdisk' => 1,
558 'vmstatestorage' => 1,
559 };
560
561 my $cloudinitoptions = {
562 cicustom => 1,
563 cipassword => 1,
564 citype => 1,
565 ciuser => 1,
566 ciupgrade => 1,
567 nameserver => 1,
568 searchdomain => 1,
569 sshkeys => 1,
570 };
571
572 my $check_vm_create_serial_perm = sub {
573 my ($rpcenv, $authuser, $vmid, $pool, $param) = @_;
574
575 return 1 if $authuser eq 'root@pam';
576
577 foreach my $opt (keys %{$param}) {
578 next if $opt !~ m/^serial\d+$/;
579
580 if ($param->{$opt} eq 'socket') {
581 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.HWType']);
582 } else {
583 die "only root can set '$opt' config for real devices\n";
584 }
585 }
586
587 return 1;
588 };
589
590 my sub check_usb_perm {
591 my ($rpcenv, $authuser, $vmid, $pool, $opt, $value) = @_;
592
593 return 1 if $authuser eq 'root@pam';
594
595 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.HWType']);
596
597 my $device = PVE::JSONSchema::parse_property_string('pve-qm-usb', $value);
598 if ($device->{host} && $device->{host} !~ m/^spice$/i) {
599 die "only root can set '$opt' config for real devices\n";
600 } elsif ($device->{mapping}) {
601 $rpcenv->check_full($authuser, "/mapping/usb/$device->{mapping}", ['Mapping.Use']);
602 } else {
603 die "either 'host' or 'mapping' must be set.\n";
604 }
605
606 return 1;
607 }
608
609 my sub check_vm_create_usb_perm {
610 my ($rpcenv, $authuser, $vmid, $pool, $param) = @_;
611
612 return 1 if $authuser eq 'root@pam';
613
614 foreach my $opt (keys %{$param}) {
615 next if $opt !~ m/^usb\d+$/;
616 check_usb_perm($rpcenv, $authuser, $vmid, $pool, $opt, $param->{$opt});
617 }
618
619 return 1;
620 };
621
622 my sub check_hostpci_perm {
623 my ($rpcenv, $authuser, $vmid, $pool, $opt, $value) = @_;
624
625 return 1 if $authuser eq 'root@pam';
626
627 my $device = PVE::JSONSchema::parse_property_string('pve-qm-hostpci', $value);
628 if ($device->{host}) {
629 die "only root can set '$opt' config for non-mapped devices\n";
630 } elsif ($device->{mapping}) {
631 $rpcenv->check_full($authuser, "/mapping/pci/$device->{mapping}", ['Mapping.Use']);
632 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.HWType']);
633 } else {
634 die "either 'host' or 'mapping' must be set.\n";
635 }
636
637 return 1;
638 }
639
640 my sub check_vm_create_hostpci_perm {
641 my ($rpcenv, $authuser, $vmid, $pool, $param) = @_;
642
643 return 1 if $authuser eq 'root@pam';
644
645 foreach my $opt (keys %{$param}) {
646 next if $opt !~ m/^hostpci\d+$/;
647 check_hostpci_perm($rpcenv, $authuser, $vmid, $pool, $opt, $param->{$opt});
648 }
649
650 return 1;
651 };
652
653 my $check_vm_modify_config_perm = sub {
654 my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
655
656 return 1 if $authuser eq 'root@pam';
657
658 foreach my $opt (@$key_list) {
659 # some checks (e.g., disk, serial port, usb) need to be done somewhere
660 # else, as there the permission can be value dependend
661 next if PVE::QemuServer::is_valid_drivename($opt);
662 next if $opt eq 'cdrom';
663 next if $opt =~ m/^(?:unused|serial|usb|hostpci)\d+$/;
664 next if $opt eq 'tags';
665
666
667 if ($cpuoptions->{$opt} || $opt =~ m/^numa\d+$/) {
668 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.CPU']);
669 } elsif ($memoryoptions->{$opt}) {
670 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Memory']);
671 } elsif ($hwtypeoptions->{$opt}) {
672 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.HWType']);
673 } elsif ($generaloptions->{$opt}) {
674 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Options']);
675 # special case for startup since it changes host behaviour
676 if ($opt eq 'startup') {
677 $rpcenv->check_full($authuser, "/", ['Sys.Modify']);
678 }
679 } elsif ($vmpoweroptions->{$opt}) {
680 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.PowerMgmt']);
681 } elsif ($diskoptions->{$opt}) {
682 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
683 } elsif ($opt =~ m/^net\d+$/) {
684 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
685 } elsif ($cloudinitoptions->{$opt} || $opt =~ m/^ipconfig\d+$/) {
686 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Cloudinit', 'VM.Config.Network'], 1);
687 } elsif ($opt eq 'vmstate') {
688 # the user needs Disk and PowerMgmt privileges to change the vmstate
689 # also needs privileges on the storage, that will be checked later
690 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk', 'VM.PowerMgmt' ]);
691 } else {
692 # catches args, lock, etc.
693 # new options will be checked here
694 die "only root can set '$opt' config\n";
695 }
696 }
697
698 return 1;
699 };
700
701 __PACKAGE__->register_method({
702 name => 'vmlist',
703 path => '',
704 method => 'GET',
705 description => "Virtual machine index (per node).",
706 permissions => {
707 description => "Only list VMs where you have VM.Audit permissons on /vms/<vmid>.",
708 user => 'all',
709 },
710 proxyto => 'node',
711 protected => 1, # qemu pid files are only readable by root
712 parameters => {
713 additionalProperties => 0,
714 properties => {
715 node => get_standard_option('pve-node'),
716 full => {
717 type => 'boolean',
718 optional => 1,
719 description => "Determine the full status of active VMs.",
720 },
721 },
722 },
723 returns => {
724 type => 'array',
725 items => {
726 type => "object",
727 properties => $PVE::QemuServer::vmstatus_return_properties,
728 },
729 links => [ { rel => 'child', href => "{vmid}" } ],
730 },
731 code => sub {
732 my ($param) = @_;
733
734 my $rpcenv = PVE::RPCEnvironment::get();
735 my $authuser = $rpcenv->get_user();
736
737 my $vmstatus = PVE::QemuServer::vmstatus(undef, $param->{full});
738
739 my $res = [];
740 foreach my $vmid (keys %$vmstatus) {
741 next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ], 1);
742
743 my $data = $vmstatus->{$vmid};
744 push @$res, $data;
745 }
746
747 return $res;
748 }});
749
750 my $parse_restore_archive = sub {
751 my ($storecfg, $archive) = @_;
752
753 my ($archive_storeid, $archive_volname) = PVE::Storage::parse_volume_id($archive, 1);
754
755 my $res = {};
756
757 if (defined($archive_storeid)) {
758 my $scfg = PVE::Storage::storage_config($storecfg, $archive_storeid);
759 $res->{volid} = $archive;
760 if ($scfg->{type} eq 'pbs') {
761 $res->{type} = 'pbs';
762 return $res;
763 }
764 }
765 my $path = PVE::Storage::abs_filesystem_path($storecfg, $archive);
766 $res->{type} = 'file';
767 $res->{path} = $path;
768 return $res;
769 };
770
771
772 __PACKAGE__->register_method({
773 name => 'create_vm',
774 path => '',
775 method => 'POST',
776 description => "Create or restore a virtual machine.",
777 permissions => {
778 description => "You need 'VM.Allocate' permissions on /vms/{vmid} or on the VM pool /pool/{pool}. " .
779 "For restore (option 'archive'), it is enough if the user has 'VM.Backup' permission and the VM already exists. " .
780 "If you create disks you need 'Datastore.AllocateSpace' on any used storage." .
781 "If you use a bridge/vlan, you need 'SDN.Use' on any used bridge/vlan.",
782 user => 'all', # check inside
783 },
784 protected => 1,
785 proxyto => 'node',
786 parameters => {
787 additionalProperties => 0,
788 properties => PVE::QemuServer::json_config_properties(
789 {
790 node => get_standard_option('pve-node'),
791 vmid => get_standard_option('pve-vmid', { completion => \&PVE::Cluster::complete_next_vmid }),
792 archive => {
793 description => "The backup archive. Either the file system path to a .tar or .vma file (use '-' to pipe data from stdin) or a proxmox storage backup volume identifier.",
794 type => 'string',
795 optional => 1,
796 maxLength => 255,
797 completion => \&PVE::QemuServer::complete_backup_archives,
798 },
799 storage => get_standard_option('pve-storage-id', {
800 description => "Default storage.",
801 optional => 1,
802 completion => \&PVE::QemuServer::complete_storage,
803 }),
804 force => {
805 optional => 1,
806 type => 'boolean',
807 description => "Allow to overwrite existing VM.",
808 requires => 'archive',
809 },
810 unique => {
811 optional => 1,
812 type => 'boolean',
813 description => "Assign a unique random ethernet address.",
814 requires => 'archive',
815 },
816 'live-restore' => {
817 optional => 1,
818 type => 'boolean',
819 description => "Start the VM immediately from the backup and restore in background. PBS only.",
820 requires => 'archive',
821 },
822 pool => {
823 optional => 1,
824 type => 'string', format => 'pve-poolid',
825 description => "Add the VM to the specified pool.",
826 },
827 bwlimit => {
828 description => "Override I/O bandwidth limit (in KiB/s).",
829 optional => 1,
830 type => 'integer',
831 minimum => '0',
832 default => 'restore limit from datacenter or storage config',
833 },
834 start => {
835 optional => 1,
836 type => 'boolean',
837 default => 0,
838 description => "Start VM after it was created successfully.",
839 },
840 },
841 1, # with_disk_alloc
842 ),
843 },
844 returns => {
845 type => 'string',
846 },
847 code => sub {
848 my ($param) = @_;
849
850 my $rpcenv = PVE::RPCEnvironment::get();
851 my $authuser = $rpcenv->get_user();
852
853 my $node = extract_param($param, 'node');
854 my $vmid = extract_param($param, 'vmid');
855
856 my $archive = extract_param($param, 'archive');
857 my $is_restore = !!$archive;
858
859 my $bwlimit = extract_param($param, 'bwlimit');
860 my $force = extract_param($param, 'force');
861 my $pool = extract_param($param, 'pool');
862 my $start_after_create = extract_param($param, 'start');
863 my $storage = extract_param($param, 'storage');
864 my $unique = extract_param($param, 'unique');
865 my $live_restore = extract_param($param, 'live-restore');
866
867 if (defined(my $ssh_keys = $param->{sshkeys})) {
868 $ssh_keys = URI::Escape::uri_unescape($ssh_keys);
869 PVE::Tools::validate_ssh_public_keys($ssh_keys);
870 }
871
872 $param->{cpuunits} = PVE::CGroup::clamp_cpu_shares($param->{cpuunits})
873 if defined($param->{cpuunits}); # clamp value depending on cgroup version
874
875 PVE::Cluster::check_cfs_quorum();
876
877 my $filename = PVE::QemuConfig->config_file($vmid);
878 my $storecfg = PVE::Storage::config();
879
880 if (defined($pool)) {
881 $rpcenv->check_pool_exist($pool);
882 }
883
884 $rpcenv->check($authuser, "/storage/$storage", ['Datastore.AllocateSpace'])
885 if defined($storage);
886
887 if ($rpcenv->check($authuser, "/vms/$vmid", ['VM.Allocate'], 1)) {
888 # OK
889 } elsif ($pool && $rpcenv->check($authuser, "/pool/$pool", ['VM.Allocate'], 1)) {
890 # OK
891 } elsif ($archive && $force && (-f $filename) &&
892 $rpcenv->check($authuser, "/vms/$vmid", ['VM.Backup'], 1)) {
893 # OK: user has VM.Backup permissions and wants to restore an existing VM
894 } else {
895 raise_perm_exc();
896 }
897
898 if ($archive) {
899 for my $opt (sort keys $param->%*) {
900 if (PVE::QemuServer::Drive::is_valid_drivename($opt)) {
901 raise_param_exc({ $opt => "option conflicts with option 'archive'" });
902 }
903 }
904
905 if ($archive eq '-') {
906 die "pipe requires cli environment\n" if $rpcenv->{type} ne 'cli';
907 $archive = { type => 'pipe' };
908 } else {
909 PVE::Storage::check_volume_access(
910 $rpcenv,
911 $authuser,
912 $storecfg,
913 $vmid,
914 $archive,
915 'backup',
916 );
917
918 $archive = $parse_restore_archive->($storecfg, $archive);
919 }
920 }
921
922 if (scalar(keys $param->%*) > 0) {
923 &$resolve_cdrom_alias($param);
924
925 &$check_storage_access($rpcenv, $authuser, $storecfg, $vmid, $param, $storage);
926
927 &$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, $pool, [ keys %$param]);
928
929 &$check_vm_create_serial_perm($rpcenv, $authuser, $vmid, $pool, $param);
930 check_vm_create_usb_perm($rpcenv, $authuser, $vmid, $pool, $param);
931 check_vm_create_hostpci_perm($rpcenv, $authuser, $vmid, $pool, $param);
932
933 PVE::QemuServer::check_bridge_access($rpcenv, $authuser, $param);
934 &$check_cpu_model_access($rpcenv, $authuser, $param);
935
936 $check_drive_param->($param, $storecfg);
937
938 PVE::QemuServer::add_random_macs($param);
939 }
940
941 my $emsg = $is_restore ? "unable to restore VM $vmid -" : "unable to create VM $vmid -";
942
943 eval { PVE::QemuConfig->create_and_lock_config($vmid, $force) };
944 die "$emsg $@" if $@;
945
946 my $restored_data = 0;
947 my $restorefn = sub {
948 my $conf = PVE::QemuConfig->load_config($vmid);
949
950 PVE::QemuConfig->check_protection($conf, $emsg);
951
952 die "$emsg vm is running\n" if PVE::QemuServer::check_running($vmid);
953
954 my $realcmd = sub {
955 my $restore_options = {
956 storage => $storage,
957 pool => $pool,
958 unique => $unique,
959 bwlimit => $bwlimit,
960 live => $live_restore,
961 override_conf => $param,
962 };
963 if (my $volid = $archive->{volid}) {
964 # best effort, real check is after restoring!
965 my $merged = eval {
966 my $old_conf = PVE::Storage::extract_vzdump_config($storecfg, $volid);
967 PVE::QemuServer::restore_merge_config("backup/qemu-server/$vmid.conf", $old_conf, $param);
968 };
969 if ($@) {
970 warn "Could not extract backed up config: $@\n";
971 warn "Skipping early checks!\n";
972 } else {
973 PVE::QemuServer::check_restore_permissions($rpcenv, $authuser, $merged);
974 }
975 }
976 if ($archive->{type} eq 'file' || $archive->{type} eq 'pipe') {
977 die "live-restore is only compatible with backup images from a Proxmox Backup Server\n"
978 if $live_restore;
979 PVE::QemuServer::restore_file_archive($archive->{path} // '-', $vmid, $authuser, $restore_options);
980 } elsif ($archive->{type} eq 'pbs') {
981 PVE::QemuServer::restore_proxmox_backup_archive($archive->{volid}, $vmid, $authuser, $restore_options);
982 } else {
983 die "unknown backup archive type\n";
984 }
985 $restored_data = 1;
986
987 my $restored_conf = PVE::QemuConfig->load_config($vmid);
988 # Convert restored VM to template if backup was VM template
989 if (PVE::QemuConfig->is_template($restored_conf)) {
990 warn "Convert to template.\n";
991 eval { PVE::QemuServer::template_create($vmid, $restored_conf) };
992 warn $@ if $@;
993 }
994 };
995
996 # ensure no old replication state are exists
997 PVE::ReplicationState::delete_guest_states($vmid);
998
999 PVE::QemuConfig->lock_config_full($vmid, 1, $realcmd);
1000
1001 if ($start_after_create && !$live_restore) {
1002 print "Execute autostart\n";
1003 eval { PVE::API2::Qemu->vm_start({ vmid => $vmid, node => $node }) };
1004 warn $@ if $@;
1005 }
1006 };
1007
1008 my $createfn = sub {
1009 # ensure no old replication state are exists
1010 PVE::ReplicationState::delete_guest_states($vmid);
1011
1012 my $realcmd = sub {
1013 my $conf = $param;
1014 my $arch = PVE::QemuServer::get_vm_arch($conf);
1015
1016 $conf->{meta} = PVE::QemuServer::new_meta_info_string();
1017
1018 my $vollist = [];
1019 eval {
1020 ($vollist, my $created_opts) = $create_disks->(
1021 $rpcenv,
1022 $authuser,
1023 $conf,
1024 $arch,
1025 $storecfg,
1026 $vmid,
1027 $pool,
1028 $param,
1029 $storage,
1030 );
1031 $conf->{$_} = $created_opts->{$_} for keys $created_opts->%*;
1032
1033 if (!$conf->{boot}) {
1034 my $devs = PVE::QemuServer::get_default_bootdevices($conf);
1035 $conf->{boot} = PVE::QemuServer::print_bootorder($devs);
1036 }
1037
1038 # auto generate uuid if user did not specify smbios1 option
1039 if (!$conf->{smbios1}) {
1040 $conf->{smbios1} = PVE::QemuServer::generate_smbios1_uuid();
1041 }
1042
1043 if ((!defined($conf->{vmgenid}) || $conf->{vmgenid} eq '1') && $arch ne 'aarch64') {
1044 $conf->{vmgenid} = PVE::QemuServer::generate_uuid();
1045 }
1046
1047 my $machine = $conf->{machine};
1048 if (!$machine || $machine =~ m/^(?:pc|q35|virt)$/) {
1049 # always pin Windows' machine version on create, they get to easily confused
1050 if (PVE::QemuServer::Helpers::windows_version($conf->{ostype})) {
1051 $conf->{machine} = PVE::QemuServer::windows_get_pinned_machine_version($machine);
1052 }
1053 }
1054
1055 PVE::QemuConfig->write_config($vmid, $conf);
1056
1057 };
1058 my $err = $@;
1059
1060 if ($err) {
1061 foreach my $volid (@$vollist) {
1062 eval { PVE::Storage::vdisk_free($storecfg, $volid); };
1063 warn $@ if $@;
1064 }
1065 die "$emsg $err";
1066 }
1067
1068 PVE::AccessControl::add_vm_to_pool($vmid, $pool) if $pool;
1069 };
1070
1071 PVE::QemuConfig->lock_config_full($vmid, 1, $realcmd);
1072
1073 if ($start_after_create) {
1074 print "Execute autostart\n";
1075 eval { PVE::API2::Qemu->vm_start({vmid => $vmid, node => $node}) };
1076 warn $@ if $@;
1077 }
1078 };
1079
1080 my ($code, $worker_name);
1081 if ($is_restore) {
1082 $worker_name = 'qmrestore';
1083 $code = sub {
1084 eval { $restorefn->() };
1085 if (my $err = $@) {
1086 eval { PVE::QemuConfig->remove_lock($vmid, 'create') };
1087 warn $@ if $@;
1088 if ($restored_data) {
1089 warn "error after data was restored, VM disks should be OK but config may "
1090 ."require adaptions. VM $vmid state is NOT cleaned up.\n";
1091 } else {
1092 warn "error before or during data restore, some or all disks were not "
1093 ."completely restored. VM $vmid state is NOT cleaned up.\n";
1094 }
1095 die $err;
1096 }
1097 };
1098 } else {
1099 $worker_name = 'qmcreate';
1100 $code = sub {
1101 eval { $createfn->() };
1102 if (my $err = $@) {
1103 eval {
1104 my $conffile = PVE::QemuConfig->config_file($vmid);
1105 unlink($conffile) or die "failed to remove config file: $!\n";
1106 };
1107 warn $@ if $@;
1108 die $err;
1109 }
1110 };
1111 }
1112
1113 return $rpcenv->fork_worker($worker_name, $vmid, $authuser, $code);
1114 }});
1115
1116 __PACKAGE__->register_method({
1117 name => 'vmdiridx',
1118 path => '{vmid}',
1119 method => 'GET',
1120 proxyto => 'node',
1121 description => "Directory index",
1122 permissions => {
1123 user => 'all',
1124 },
1125 parameters => {
1126 additionalProperties => 0,
1127 properties => {
1128 node => get_standard_option('pve-node'),
1129 vmid => get_standard_option('pve-vmid'),
1130 },
1131 },
1132 returns => {
1133 type => 'array',
1134 items => {
1135 type => "object",
1136 properties => {
1137 subdir => { type => 'string' },
1138 },
1139 },
1140 links => [ { rel => 'child', href => "{subdir}" } ],
1141 },
1142 code => sub {
1143 my ($param) = @_;
1144
1145 my $res = [
1146 { subdir => 'config' },
1147 { subdir => 'cloudinit' },
1148 { subdir => 'pending' },
1149 { subdir => 'status' },
1150 { subdir => 'unlink' },
1151 { subdir => 'vncproxy' },
1152 { subdir => 'termproxy' },
1153 { subdir => 'migrate' },
1154 { subdir => 'resize' },
1155 { subdir => 'move' },
1156 { subdir => 'rrd' },
1157 { subdir => 'rrddata' },
1158 { subdir => 'monitor' },
1159 { subdir => 'agent' },
1160 { subdir => 'snapshot' },
1161 { subdir => 'spiceproxy' },
1162 { subdir => 'sendkey' },
1163 { subdir => 'firewall' },
1164 { subdir => 'mtunnel' },
1165 { subdir => 'remote_migrate' },
1166 ];
1167
1168 return $res;
1169 }});
1170
1171 __PACKAGE__->register_method ({
1172 subclass => "PVE::API2::Firewall::VM",
1173 path => '{vmid}/firewall',
1174 });
1175
1176 __PACKAGE__->register_method ({
1177 subclass => "PVE::API2::Qemu::Agent",
1178 path => '{vmid}/agent',
1179 });
1180
1181 __PACKAGE__->register_method({
1182 name => 'rrd',
1183 path => '{vmid}/rrd',
1184 method => 'GET',
1185 protected => 1, # fixme: can we avoid that?
1186 permissions => {
1187 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
1188 },
1189 description => "Read VM RRD statistics (returns PNG)",
1190 parameters => {
1191 additionalProperties => 0,
1192 properties => {
1193 node => get_standard_option('pve-node'),
1194 vmid => get_standard_option('pve-vmid'),
1195 timeframe => {
1196 description => "Specify the time frame you are interested in.",
1197 type => 'string',
1198 enum => [ 'hour', 'day', 'week', 'month', 'year' ],
1199 },
1200 ds => {
1201 description => "The list of datasources you want to display.",
1202 type => 'string', format => 'pve-configid-list',
1203 },
1204 cf => {
1205 description => "The RRD consolidation function",
1206 type => 'string',
1207 enum => [ 'AVERAGE', 'MAX' ],
1208 optional => 1,
1209 },
1210 },
1211 },
1212 returns => {
1213 type => "object",
1214 properties => {
1215 filename => { type => 'string' },
1216 },
1217 },
1218 code => sub {
1219 my ($param) = @_;
1220
1221 return PVE::RRD::create_rrd_graph(
1222 "pve2-vm/$param->{vmid}", $param->{timeframe},
1223 $param->{ds}, $param->{cf});
1224
1225 }});
1226
1227 __PACKAGE__->register_method({
1228 name => 'rrddata',
1229 path => '{vmid}/rrddata',
1230 method => 'GET',
1231 protected => 1, # fixme: can we avoid that?
1232 permissions => {
1233 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
1234 },
1235 description => "Read VM RRD statistics",
1236 parameters => {
1237 additionalProperties => 0,
1238 properties => {
1239 node => get_standard_option('pve-node'),
1240 vmid => get_standard_option('pve-vmid'),
1241 timeframe => {
1242 description => "Specify the time frame you are interested in.",
1243 type => 'string',
1244 enum => [ 'hour', 'day', 'week', 'month', 'year' ],
1245 },
1246 cf => {
1247 description => "The RRD consolidation function",
1248 type => 'string',
1249 enum => [ 'AVERAGE', 'MAX' ],
1250 optional => 1,
1251 },
1252 },
1253 },
1254 returns => {
1255 type => "array",
1256 items => {
1257 type => "object",
1258 properties => {},
1259 },
1260 },
1261 code => sub {
1262 my ($param) = @_;
1263
1264 return PVE::RRD::create_rrd_data(
1265 "pve2-vm/$param->{vmid}", $param->{timeframe}, $param->{cf});
1266 }});
1267
1268
1269 __PACKAGE__->register_method({
1270 name => 'vm_config',
1271 path => '{vmid}/config',
1272 method => 'GET',
1273 proxyto => 'node',
1274 description => "Get the virtual machine configuration with pending configuration " .
1275 "changes applied. Set the 'current' parameter to get the current configuration instead.",
1276 permissions => {
1277 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
1278 },
1279 parameters => {
1280 additionalProperties => 0,
1281 properties => {
1282 node => get_standard_option('pve-node'),
1283 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
1284 current => {
1285 description => "Get current values (instead of pending values).",
1286 optional => 1,
1287 default => 0,
1288 type => 'boolean',
1289 },
1290 snapshot => get_standard_option('pve-snapshot-name', {
1291 description => "Fetch config values from given snapshot.",
1292 optional => 1,
1293 completion => sub {
1294 my ($cmd, $pname, $cur, $args) = @_;
1295 PVE::QemuConfig->snapshot_list($args->[0]);
1296 },
1297 }),
1298 },
1299 },
1300 returns => {
1301 description => "The VM configuration.",
1302 type => "object",
1303 properties => PVE::QemuServer::json_config_properties({
1304 digest => {
1305 type => 'string',
1306 description => 'SHA1 digest of configuration file. This can be used to prevent concurrent modifications.',
1307 }
1308 }),
1309 },
1310 code => sub {
1311 my ($param) = @_;
1312
1313 raise_param_exc({ snapshot => "cannot use 'snapshot' parameter with 'current'",
1314 current => "cannot use 'snapshot' parameter with 'current'"})
1315 if ($param->{snapshot} && $param->{current});
1316
1317 my $conf;
1318 if ($param->{snapshot}) {
1319 $conf = PVE::QemuConfig->load_snapshot_config($param->{vmid}, $param->{snapshot});
1320 } else {
1321 $conf = PVE::QemuConfig->load_current_config($param->{vmid}, $param->{current});
1322 }
1323 $conf->{cipassword} = '**********' if $conf->{cipassword};
1324 return $conf;
1325
1326 }});
1327
1328 __PACKAGE__->register_method({
1329 name => 'vm_pending',
1330 path => '{vmid}/pending',
1331 method => 'GET',
1332 proxyto => 'node',
1333 description => "Get the virtual machine configuration with both current and pending values.",
1334 permissions => {
1335 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
1336 },
1337 parameters => {
1338 additionalProperties => 0,
1339 properties => {
1340 node => get_standard_option('pve-node'),
1341 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
1342 },
1343 },
1344 returns => {
1345 type => "array",
1346 items => {
1347 type => "object",
1348 properties => {
1349 key => {
1350 description => "Configuration option name.",
1351 type => 'string',
1352 },
1353 value => {
1354 description => "Current value.",
1355 type => 'string',
1356 optional => 1,
1357 },
1358 pending => {
1359 description => "Pending value.",
1360 type => 'string',
1361 optional => 1,
1362 },
1363 delete => {
1364 description => "Indicates a pending delete request if present and not 0. " .
1365 "The value 2 indicates a force-delete request.",
1366 type => 'integer',
1367 minimum => 0,
1368 maximum => 2,
1369 optional => 1,
1370 },
1371 },
1372 },
1373 },
1374 code => sub {
1375 my ($param) = @_;
1376
1377 my $conf = PVE::QemuConfig->load_config($param->{vmid});
1378
1379 my $pending_delete_hash = PVE::QemuConfig->parse_pending_delete($conf->{pending}->{delete});
1380
1381 $conf->{cipassword} = '**********' if defined($conf->{cipassword});
1382 $conf->{pending}->{cipassword} = '********** ' if defined($conf->{pending}->{cipassword});
1383
1384 return PVE::GuestHelpers::config_with_pending_array($conf, $pending_delete_hash);
1385 }});
1386
1387 __PACKAGE__->register_method({
1388 name => 'cloudinit_pending',
1389 path => '{vmid}/cloudinit',
1390 method => 'GET',
1391 proxyto => 'node',
1392 description => "Get the cloudinit configuration with both current and pending values.",
1393 permissions => {
1394 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
1395 },
1396 parameters => {
1397 additionalProperties => 0,
1398 properties => {
1399 node => get_standard_option('pve-node'),
1400 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
1401 },
1402 },
1403 returns => {
1404 type => "array",
1405 items => {
1406 type => "object",
1407 properties => {
1408 key => {
1409 description => "Configuration option name.",
1410 type => 'string',
1411 },
1412 value => {
1413 description => "Value as it was used to generate the current cloudinit image.",
1414 type => 'string',
1415 optional => 1,
1416 },
1417 pending => {
1418 description => "The new pending value.",
1419 type => 'string',
1420 optional => 1,
1421 },
1422 delete => {
1423 description => "Indicates a pending delete request if present and not 0. ",
1424 type => 'integer',
1425 minimum => 0,
1426 maximum => 1,
1427 optional => 1,
1428 },
1429 },
1430 },
1431 },
1432 code => sub {
1433 my ($param) = @_;
1434
1435 my $vmid = $param->{vmid};
1436 my $conf = PVE::QemuConfig->load_config($vmid);
1437
1438 my $ci = $conf->{cloudinit};
1439
1440 $conf->{cipassword} = '**********' if exists $conf->{cipassword};
1441 $ci->{cipassword} = '**********' if exists $ci->{cipassword};
1442
1443 my $res = [];
1444
1445 # All the values that got added
1446 my $added = delete($ci->{added}) // '';
1447 for my $key (PVE::Tools::split_list($added)) {
1448 push @$res, { key => $key, pending => $conf->{$key} };
1449 }
1450
1451 # All already existing values (+ their new value, if it exists)
1452 for my $opt (keys %$cloudinitoptions) {
1453 next if !$conf->{$opt};
1454 next if $added =~ m/$opt/;
1455 my $item = {
1456 key => $opt,
1457 };
1458
1459 if (my $pending = $ci->{$opt}) {
1460 $item->{value} = $pending;
1461 $item->{pending} = $conf->{$opt};
1462 } else {
1463 $item->{value} = $conf->{$opt},
1464 }
1465
1466 push @$res, $item;
1467 }
1468
1469 # Now, we'll find the deleted ones
1470 for my $opt (keys %$ci) {
1471 next if $conf->{$opt};
1472 push @$res, { key => $opt, delete => 1 };
1473 }
1474
1475 return $res;
1476 }});
1477
1478 __PACKAGE__->register_method({
1479 name => 'cloudinit_update',
1480 path => '{vmid}/cloudinit',
1481 method => 'PUT',
1482 protected => 1,
1483 proxyto => 'node',
1484 description => "Regenerate and change cloudinit config drive.",
1485 permissions => {
1486 check => ['perm', '/vms/{vmid}', ['VM.Config.Cloudinit']],
1487 },
1488 parameters => {
1489 additionalProperties => 0,
1490 properties => {
1491 node => get_standard_option('pve-node'),
1492 vmid => get_standard_option('pve-vmid'),
1493 },
1494 },
1495 returns => { type => 'null' },
1496 code => sub {
1497 my ($param) = @_;
1498
1499 my $rpcenv = PVE::RPCEnvironment::get();
1500 my $authuser = $rpcenv->get_user();
1501
1502 my $vmid = extract_param($param, 'vmid');
1503
1504 PVE::QemuConfig->lock_config($vmid, sub {
1505 my $conf = PVE::QemuConfig->load_config($vmid);
1506 PVE::QemuConfig->check_lock($conf);
1507
1508 my $storecfg = PVE::Storage::config();
1509 PVE::QemuServer::vmconfig_update_cloudinit_drive($storecfg, $conf, $vmid);
1510 });
1511 return;
1512 }});
1513
1514 # POST/PUT {vmid}/config implementation
1515 #
1516 # The original API used PUT (idempotent) an we assumed that all operations
1517 # are fast. But it turned out that almost any configuration change can
1518 # involve hot-plug actions, or disk alloc/free. Such actions can take long
1519 # time to complete and have side effects (not idempotent).
1520 #
1521 # The new implementation uses POST and forks a worker process. We added
1522 # a new option 'background_delay'. If specified we wait up to
1523 # 'background_delay' second for the worker task to complete. It returns null
1524 # if the task is finished within that time, else we return the UPID.
1525
1526 my $update_vm_api = sub {
1527 my ($param, $sync) = @_;
1528
1529 my $rpcenv = PVE::RPCEnvironment::get();
1530
1531 my $authuser = $rpcenv->get_user();
1532
1533 my $node = extract_param($param, 'node');
1534
1535 my $vmid = extract_param($param, 'vmid');
1536
1537 my $digest = extract_param($param, 'digest');
1538
1539 my $background_delay = extract_param($param, 'background_delay');
1540
1541 my $skip_cloud_init = extract_param($param, 'skip_cloud_init');
1542
1543 if (defined(my $cipassword = $param->{cipassword})) {
1544 # Same logic as in cloud-init (but with the regex fixed...)
1545 $param->{cipassword} = PVE::Tools::encrypt_pw($cipassword)
1546 if $cipassword !~ /^\$(?:[156]|2[ay])(\$.+){2}/;
1547 }
1548
1549 my @paramarr = (); # used for log message
1550 foreach my $key (sort keys %$param) {
1551 my $value = $key eq 'cipassword' ? '<hidden>' : $param->{$key};
1552 push @paramarr, "-$key", $value;
1553 }
1554
1555 my $skiplock = extract_param($param, 'skiplock');
1556 raise_param_exc({ skiplock => "Only root may use this option." })
1557 if $skiplock && $authuser ne 'root@pam';
1558
1559 my $delete_str = extract_param($param, 'delete');
1560
1561 my $revert_str = extract_param($param, 'revert');
1562
1563 my $force = extract_param($param, 'force');
1564
1565 if (defined(my $ssh_keys = $param->{sshkeys})) {
1566 $ssh_keys = URI::Escape::uri_unescape($ssh_keys);
1567 PVE::Tools::validate_ssh_public_keys($ssh_keys);
1568 }
1569
1570 $param->{cpuunits} = PVE::CGroup::clamp_cpu_shares($param->{cpuunits})
1571 if defined($param->{cpuunits}); # clamp value depending on cgroup version
1572
1573 die "no options specified\n" if !$delete_str && !$revert_str && !scalar(keys %$param);
1574
1575 my $storecfg = PVE::Storage::config();
1576
1577 &$resolve_cdrom_alias($param);
1578
1579 # now try to verify all parameters
1580
1581 my $revert = {};
1582 foreach my $opt (PVE::Tools::split_list($revert_str)) {
1583 if (!PVE::QemuServer::option_exists($opt)) {
1584 raise_param_exc({ revert => "unknown option '$opt'" });
1585 }
1586
1587 raise_param_exc({ delete => "you can't use '-$opt' and " .
1588 "-revert $opt' at the same time" })
1589 if defined($param->{$opt});
1590
1591 $revert->{$opt} = 1;
1592 }
1593
1594 my @delete = ();
1595 foreach my $opt (PVE::Tools::split_list($delete_str)) {
1596 $opt = 'ide2' if $opt eq 'cdrom';
1597
1598 raise_param_exc({ delete => "you can't use '-$opt' and " .
1599 "-delete $opt' at the same time" })
1600 if defined($param->{$opt});
1601
1602 raise_param_exc({ revert => "you can't use '-delete $opt' and " .
1603 "-revert $opt' at the same time" })
1604 if $revert->{$opt};
1605
1606 if (!PVE::QemuServer::option_exists($opt)) {
1607 raise_param_exc({ delete => "unknown option '$opt'" });
1608 }
1609
1610 push @delete, $opt;
1611 }
1612
1613 my $repl_conf = PVE::ReplicationConfig->new();
1614 my $is_replicated = $repl_conf->check_for_existing_jobs($vmid, 1);
1615 my $check_replication = sub {
1616 my ($drive) = @_;
1617 return if !$is_replicated;
1618 my $volid = $drive->{file};
1619 return if !$volid || !($drive->{replicate}//1);
1620 return if PVE::QemuServer::drive_is_cdrom($drive);
1621
1622 my ($storeid, $volname) = PVE::Storage::parse_volume_id($volid, 1);
1623 die "cannot add non-managed/pass-through volume to a replicated VM\n"
1624 if !defined($storeid);
1625
1626 return if defined($volname) && $volname eq 'cloudinit';
1627
1628 my $format;
1629 if ($volid =~ $NEW_DISK_RE) {
1630 $storeid = $2;
1631 $format = $drive->{format} || PVE::Storage::storage_default_format($storecfg, $storeid);
1632 } else {
1633 $format = (PVE::Storage::parse_volname($storecfg, $volid))[6];
1634 }
1635 return if PVE::Storage::storage_can_replicate($storecfg, $storeid, $format);
1636 my $scfg = PVE::Storage::storage_config($storecfg, $storeid);
1637 return if $scfg->{shared};
1638 die "cannot add non-replicatable volume to a replicated VM\n";
1639 };
1640
1641 $check_drive_param->($param, $storecfg, $check_replication);
1642
1643 foreach my $opt (keys %$param) {
1644 if ($opt =~ m/^net(\d+)$/) {
1645 # add macaddr
1646 my $net = PVE::QemuServer::parse_net($param->{$opt});
1647 $param->{$opt} = PVE::QemuServer::print_net($net);
1648 } elsif ($opt eq 'vmgenid') {
1649 if ($param->{$opt} eq '1') {
1650 $param->{$opt} = PVE::QemuServer::generate_uuid();
1651 }
1652 } elsif ($opt eq 'hookscript') {
1653 eval { PVE::GuestHelpers::check_hookscript($param->{$opt}, $storecfg); };
1654 raise_param_exc({ $opt => $@ }) if $@;
1655 }
1656 }
1657
1658 &$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, undef, [@delete]);
1659
1660 &$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, undef, [keys %$param]);
1661
1662 &$check_storage_access($rpcenv, $authuser, $storecfg, $vmid, $param);
1663
1664 PVE::QemuServer::check_bridge_access($rpcenv, $authuser, $param);
1665
1666 my $updatefn = sub {
1667
1668 my $conf = PVE::QemuConfig->load_config($vmid);
1669
1670 die "checksum missmatch (file change by other user?)\n"
1671 if $digest && $digest ne $conf->{digest};
1672
1673 &$check_cpu_model_access($rpcenv, $authuser, $param, $conf);
1674
1675 # FIXME: 'suspended' lock should probabyl be a state or "weak" lock?!
1676 if (scalar(@delete) && grep { $_ eq 'vmstate'} @delete) {
1677 if (defined($conf->{lock}) && $conf->{lock} eq 'suspended') {
1678 delete $conf->{lock}; # for check lock check, not written out
1679 push @delete, 'lock'; # this is the real deal to write it out
1680 }
1681 push @delete, 'runningmachine' if $conf->{runningmachine};
1682 push @delete, 'runningcpu' if $conf->{runningcpu};
1683 }
1684
1685 PVE::QemuConfig->check_lock($conf) if !$skiplock;
1686
1687 foreach my $opt (keys %$revert) {
1688 if (defined($conf->{$opt})) {
1689 $param->{$opt} = $conf->{$opt};
1690 } elsif (defined($conf->{pending}->{$opt})) {
1691 push @delete, $opt;
1692 }
1693 }
1694
1695 if ($param->{memory} || defined($param->{balloon})) {
1696
1697 my $memory = $param->{memory} || $conf->{pending}->{memory} || $conf->{memory};
1698 my $maxmem = get_current_memory($memory);
1699 my $balloon = defined($param->{balloon}) ? $param->{balloon} : $conf->{pending}->{balloon} || $conf->{balloon};
1700
1701 die "balloon value too large (must be smaller than assigned memory)\n"
1702 if $balloon && $balloon > $maxmem;
1703 }
1704
1705 PVE::Cluster::log_msg('info', $authuser, "update VM $vmid: " . join (' ', @paramarr));
1706
1707 my $worker = sub {
1708
1709 print "update VM $vmid: " . join (' ', @paramarr) . "\n";
1710
1711 # write updates to pending section
1712
1713 my $modified = {}; # record what $option we modify
1714
1715 my @bootorder;
1716 if (my $boot = $conf->{boot}) {
1717 my $bootcfg = PVE::JSONSchema::parse_property_string('pve-qm-boot', $boot);
1718 @bootorder = PVE::Tools::split_list($bootcfg->{order}) if $bootcfg && $bootcfg->{order};
1719 }
1720 my $bootorder_deleted = grep {$_ eq 'bootorder'} @delete;
1721
1722 my $check_drive_perms = sub {
1723 my ($opt, $val) = @_;
1724 my $drive = PVE::QemuServer::parse_drive($opt, $val, 1);
1725 if (PVE::QemuServer::drive_is_cloudinit($drive)) {
1726 $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Cloudinit', 'VM.Config.CDROM']);
1727 } elsif (PVE::QemuServer::drive_is_cdrom($drive, 1)) { # CDROM
1728 $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.CDROM']);
1729 } else {
1730 $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Disk']);
1731
1732 }
1733 };
1734
1735 foreach my $opt (@delete) {
1736 $modified->{$opt} = 1;
1737 $conf = PVE::QemuConfig->load_config($vmid); # update/reload
1738
1739 # value of what we want to delete, independent if pending or not
1740 my $val = $conf->{$opt} // $conf->{pending}->{$opt};
1741 if (!defined($val)) {
1742 warn "cannot delete '$opt' - not set in current configuration!\n";
1743 $modified->{$opt} = 0;
1744 next;
1745 }
1746 my $is_pending_val = defined($conf->{pending}->{$opt});
1747 delete $conf->{pending}->{$opt};
1748
1749 # remove from bootorder if necessary
1750 if (!$bootorder_deleted && @bootorder && grep {$_ eq $opt} @bootorder) {
1751 @bootorder = grep {$_ ne $opt} @bootorder;
1752 $conf->{pending}->{boot} = PVE::QemuServer::print_bootorder(\@bootorder);
1753 $modified->{boot} = 1;
1754 }
1755
1756 if ($opt =~ m/^unused/) {
1757 my $drive = PVE::QemuServer::parse_drive($opt, $val);
1758 PVE::QemuConfig->check_protection($conf, "can't remove unused disk '$drive->{file}'");
1759 $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Disk']);
1760 if (PVE::QemuServer::try_deallocate_drive($storecfg, $vmid, $conf, $opt, $drive, $rpcenv, $authuser)) {
1761 delete $conf->{$opt};
1762 PVE::QemuConfig->write_config($vmid, $conf);
1763 }
1764 } elsif ($opt eq 'vmstate') {
1765 PVE::QemuConfig->check_protection($conf, "can't remove vmstate '$val'");
1766 if (PVE::QemuServer::try_deallocate_drive($storecfg, $vmid, $conf, $opt, { file => $val }, $rpcenv, $authuser, 1)) {
1767 delete $conf->{$opt};
1768 PVE::QemuConfig->write_config($vmid, $conf);
1769 }
1770 } elsif (PVE::QemuServer::is_valid_drivename($opt)) {
1771 PVE::QemuConfig->check_protection($conf, "can't remove drive '$opt'");
1772 $check_drive_perms->($opt, $val);
1773 PVE::QemuServer::vmconfig_register_unused_drive($storecfg, $vmid, $conf, PVE::QemuServer::parse_drive($opt, $val))
1774 if $is_pending_val;
1775 PVE::QemuConfig->add_to_pending_delete($conf, $opt, $force);
1776 PVE::QemuConfig->write_config($vmid, $conf);
1777 } elsif ($opt =~ m/^serial\d+$/) {
1778 if ($val eq 'socket') {
1779 $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.HWType']);
1780 } elsif ($authuser ne 'root@pam') {
1781 die "only root can delete '$opt' config for real devices\n";
1782 }
1783 PVE::QemuConfig->add_to_pending_delete($conf, $opt, $force);
1784 PVE::QemuConfig->write_config($vmid, $conf);
1785 } elsif ($opt =~ m/^usb\d+$/) {
1786 check_usb_perm($rpcenv, $authuser, $vmid, undef, $opt, $val);
1787 PVE::QemuConfig->add_to_pending_delete($conf, $opt, $force);
1788 PVE::QemuConfig->write_config($vmid, $conf);
1789 } elsif ($opt =~ m/^hostpci\d+$/) {
1790 check_hostpci_perm($rpcenv, $authuser, $vmid, undef, $opt, $val);
1791 PVE::QemuConfig->add_to_pending_delete($conf, $opt, $force);
1792 PVE::QemuConfig->write_config($vmid, $conf);
1793 } elsif ($opt eq 'tags') {
1794 assert_tag_permissions($vmid, $val, '', $rpcenv, $authuser);
1795 delete $conf->{$opt};
1796 PVE::QemuConfig->write_config($vmid, $conf);
1797 } elsif ($opt =~ m/^net\d+$/) {
1798 if ($conf->{$opt}) {
1799 PVE::QemuServer::check_bridge_access(
1800 $rpcenv,
1801 $authuser,
1802 { $opt => $conf->{$opt} },
1803 );
1804 }
1805 PVE::QemuConfig->add_to_pending_delete($conf, $opt, $force);
1806 PVE::QemuConfig->write_config($vmid, $conf);
1807 } else {
1808 PVE::QemuConfig->add_to_pending_delete($conf, $opt, $force);
1809 PVE::QemuConfig->write_config($vmid, $conf);
1810 }
1811 }
1812
1813 foreach my $opt (keys %$param) { # add/change
1814 $modified->{$opt} = 1;
1815 $conf = PVE::QemuConfig->load_config($vmid); # update/reload
1816 next if defined($conf->{pending}->{$opt}) && ($param->{$opt} eq $conf->{pending}->{$opt}); # skip if nothing changed
1817
1818 my $arch = PVE::QemuServer::get_vm_arch($conf);
1819
1820 if (PVE::QemuServer::is_valid_drivename($opt)) {
1821 # old drive
1822 if ($conf->{$opt}) {
1823 $check_drive_perms->($opt, $conf->{$opt});
1824 }
1825
1826 # new drive
1827 $check_drive_perms->($opt, $param->{$opt});
1828 PVE::QemuServer::vmconfig_register_unused_drive($storecfg, $vmid, $conf, PVE::QemuServer::parse_drive($opt, $conf->{pending}->{$opt}))
1829 if defined($conf->{pending}->{$opt});
1830
1831 my (undef, $created_opts) = $create_disks->(
1832 $rpcenv,
1833 $authuser,
1834 $conf,
1835 $arch,
1836 $storecfg,
1837 $vmid,
1838 undef,
1839 {$opt => $param->{$opt}},
1840 );
1841 $conf->{pending}->{$_} = $created_opts->{$_} for keys $created_opts->%*;
1842
1843 # default legacy boot order implies all cdroms anyway
1844 if (@bootorder) {
1845 # append new CD drives to bootorder to mark them bootable
1846 my $drive = PVE::QemuServer::parse_drive($opt, $param->{$opt}, 1);
1847 if (PVE::QemuServer::drive_is_cdrom($drive, 1) && !grep(/^$opt$/, @bootorder)) {
1848 push @bootorder, $opt;
1849 $conf->{pending}->{boot} = PVE::QemuServer::print_bootorder(\@bootorder);
1850 $modified->{boot} = 1;
1851 }
1852 }
1853 } elsif ($opt =~ m/^serial\d+/) {
1854 if ((!defined($conf->{$opt}) || $conf->{$opt} eq 'socket') && $param->{$opt} eq 'socket') {
1855 $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.HWType']);
1856 } elsif ($authuser ne 'root@pam') {
1857 die "only root can modify '$opt' config for real devices\n";
1858 }
1859 $conf->{pending}->{$opt} = $param->{$opt};
1860 } elsif ($opt =~ m/^usb\d+/) {
1861 if (my $olddevice = $conf->{$opt}) {
1862 check_usb_perm($rpcenv, $authuser, $vmid, undef, $opt, $conf->{$opt});
1863 }
1864 check_usb_perm($rpcenv, $authuser, $vmid, undef, $opt, $param->{$opt});
1865 $conf->{pending}->{$opt} = $param->{$opt};
1866 } elsif ($opt =~ m/^hostpci\d+$/) {
1867 if (my $oldvalue = $conf->{$opt}) {
1868 check_hostpci_perm($rpcenv, $authuser, $vmid, undef, $opt, $oldvalue);
1869 }
1870 check_hostpci_perm($rpcenv, $authuser, $vmid, undef, $opt, $param->{$opt});
1871 $conf->{pending}->{$opt} = $param->{$opt};
1872 } elsif ($opt eq 'tags') {
1873 assert_tag_permissions($vmid, $conf->{$opt}, $param->{$opt}, $rpcenv, $authuser);
1874 $conf->{pending}->{$opt} = PVE::GuestHelpers::get_unique_tags($param->{$opt});
1875 } elsif ($opt =~ m/^net\d+$/) {
1876 if ($conf->{$opt}) {
1877 PVE::QemuServer::check_bridge_access(
1878 $rpcenv,
1879 $authuser,
1880 { $opt => $conf->{$opt} },
1881 );
1882 }
1883 $conf->{pending}->{$opt} = $param->{$opt};
1884 } else {
1885 $conf->{pending}->{$opt} = $param->{$opt};
1886
1887 if ($opt eq 'boot') {
1888 my $new_bootcfg = PVE::JSONSchema::parse_property_string('pve-qm-boot', $param->{$opt});
1889 if ($new_bootcfg->{order}) {
1890 my @devs = PVE::Tools::split_list($new_bootcfg->{order});
1891 for my $dev (@devs) {
1892 my $exists = $conf->{$dev} || $conf->{pending}->{$dev} || $param->{$dev};
1893 my $deleted = grep {$_ eq $dev} @delete;
1894 die "invalid bootorder: device '$dev' does not exist'\n"
1895 if !$exists || $deleted;
1896 }
1897
1898 # remove legacy boot order settings if new one set
1899 $conf->{pending}->{$opt} = PVE::QemuServer::print_bootorder(\@devs);
1900 PVE::QemuConfig->add_to_pending_delete($conf, "bootdisk")
1901 if $conf->{bootdisk};
1902 }
1903 }
1904 }
1905 PVE::QemuConfig->remove_from_pending_delete($conf, $opt);
1906 PVE::QemuConfig->write_config($vmid, $conf);
1907 }
1908
1909 # remove pending changes when nothing changed
1910 $conf = PVE::QemuConfig->load_config($vmid); # update/reload
1911 my $changes = PVE::QemuConfig->cleanup_pending($conf);
1912 PVE::QemuConfig->write_config($vmid, $conf) if $changes;
1913
1914 return if !scalar(keys %{$conf->{pending}});
1915
1916 my $running = PVE::QemuServer::check_running($vmid);
1917
1918 # apply pending changes
1919
1920 $conf = PVE::QemuConfig->load_config($vmid); # update/reload
1921
1922 my $errors = {};
1923 if ($running) {
1924 PVE::QemuServer::vmconfig_hotplug_pending($vmid, $conf, $storecfg, $modified, $errors);
1925 } else {
1926 # cloud_init must be skipped if we are in an incoming, remote live migration
1927 PVE::QemuServer::vmconfig_apply_pending($vmid, $conf, $storecfg, $errors, $skip_cloud_init);
1928 }
1929 raise_param_exc($errors) if scalar(keys %$errors);
1930
1931 return;
1932 };
1933
1934 if ($sync) {
1935 &$worker();
1936 return;
1937 } else {
1938 my $upid = $rpcenv->fork_worker('qmconfig', $vmid, $authuser, $worker);
1939
1940 if ($background_delay) {
1941
1942 # Note: It would be better to do that in the Event based HTTPServer
1943 # to avoid blocking call to sleep.
1944
1945 my $end_time = time() + $background_delay;
1946
1947 my $task = PVE::Tools::upid_decode($upid);
1948
1949 my $running = 1;
1950 while (time() < $end_time) {
1951 $running = PVE::ProcFSTools::check_process_running($task->{pid}, $task->{pstart});
1952 last if !$running;
1953 sleep(1); # this gets interrupted when child process ends
1954 }
1955
1956 if (!$running) {
1957 my $status = PVE::Tools::upid_read_status($upid);
1958 return if !PVE::Tools::upid_status_is_error($status);
1959 die "failed to update VM $vmid: $status\n";
1960 }
1961 }
1962
1963 return $upid;
1964 }
1965 };
1966
1967 return PVE::QemuConfig->lock_config($vmid, $updatefn);
1968 };
1969
1970 my $vm_config_perm_list = [
1971 'VM.Config.Disk',
1972 'VM.Config.CDROM',
1973 'VM.Config.CPU',
1974 'VM.Config.Memory',
1975 'VM.Config.Network',
1976 'VM.Config.HWType',
1977 'VM.Config.Options',
1978 'VM.Config.Cloudinit',
1979 ];
1980
1981 __PACKAGE__->register_method({
1982 name => 'update_vm_async',
1983 path => '{vmid}/config',
1984 method => 'POST',
1985 protected => 1,
1986 proxyto => 'node',
1987 description => "Set virtual machine options (asynchrounous API).",
1988 permissions => {
1989 check => ['perm', '/vms/{vmid}', $vm_config_perm_list, any => 1],
1990 },
1991 parameters => {
1992 additionalProperties => 0,
1993 properties => PVE::QemuServer::json_config_properties(
1994 {
1995 node => get_standard_option('pve-node'),
1996 vmid => get_standard_option('pve-vmid'),
1997 skiplock => get_standard_option('skiplock'),
1998 delete => {
1999 type => 'string', format => 'pve-configid-list',
2000 description => "A list of settings you want to delete.",
2001 optional => 1,
2002 },
2003 revert => {
2004 type => 'string', format => 'pve-configid-list',
2005 description => "Revert a pending change.",
2006 optional => 1,
2007 },
2008 force => {
2009 type => 'boolean',
2010 description => $opt_force_description,
2011 optional => 1,
2012 requires => 'delete',
2013 },
2014 digest => {
2015 type => 'string',
2016 description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.',
2017 maxLength => 40,
2018 optional => 1,
2019 },
2020 background_delay => {
2021 type => 'integer',
2022 description => "Time to wait for the task to finish. We return 'null' if the task finish within that time.",
2023 minimum => 1,
2024 maximum => 30,
2025 optional => 1,
2026 },
2027 },
2028 1, # with_disk_alloc
2029 ),
2030 },
2031 returns => {
2032 type => 'string',
2033 optional => 1,
2034 },
2035 code => $update_vm_api,
2036 });
2037
2038 __PACKAGE__->register_method({
2039 name => 'update_vm',
2040 path => '{vmid}/config',
2041 method => 'PUT',
2042 protected => 1,
2043 proxyto => 'node',
2044 description => "Set virtual machine options (synchrounous API) - You should consider using the POST method instead for any actions involving hotplug or storage allocation.",
2045 permissions => {
2046 check => ['perm', '/vms/{vmid}', $vm_config_perm_list, any => 1],
2047 },
2048 parameters => {
2049 additionalProperties => 0,
2050 properties => PVE::QemuServer::json_config_properties(
2051 {
2052 node => get_standard_option('pve-node'),
2053 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
2054 skiplock => get_standard_option('skiplock'),
2055 delete => {
2056 type => 'string', format => 'pve-configid-list',
2057 description => "A list of settings you want to delete.",
2058 optional => 1,
2059 },
2060 revert => {
2061 type => 'string', format => 'pve-configid-list',
2062 description => "Revert a pending change.",
2063 optional => 1,
2064 },
2065 force => {
2066 type => 'boolean',
2067 description => $opt_force_description,
2068 optional => 1,
2069 requires => 'delete',
2070 },
2071 digest => {
2072 type => 'string',
2073 description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.',
2074 maxLength => 40,
2075 optional => 1,
2076 },
2077 },
2078 1, # with_disk_alloc
2079 ),
2080 },
2081 returns => { type => 'null' },
2082 code => sub {
2083 my ($param) = @_;
2084 &$update_vm_api($param, 1);
2085 return;
2086 }
2087 });
2088
2089 __PACKAGE__->register_method({
2090 name => 'destroy_vm',
2091 path => '{vmid}',
2092 method => 'DELETE',
2093 protected => 1,
2094 proxyto => 'node',
2095 description => "Destroy the VM and all used/owned volumes. Removes any VM specific permissions"
2096 ." and firewall rules",
2097 permissions => {
2098 check => [ 'perm', '/vms/{vmid}', ['VM.Allocate']],
2099 },
2100 parameters => {
2101 additionalProperties => 0,
2102 properties => {
2103 node => get_standard_option('pve-node'),
2104 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid_stopped }),
2105 skiplock => get_standard_option('skiplock'),
2106 purge => {
2107 type => 'boolean',
2108 description => "Remove VMID from configurations, like backup & replication jobs and HA.",
2109 optional => 1,
2110 },
2111 'destroy-unreferenced-disks' => {
2112 type => 'boolean',
2113 description => "If set, destroy additionally all disks not referenced in the config"
2114 ." but with a matching VMID from all enabled storages.",
2115 optional => 1,
2116 default => 0,
2117 },
2118 },
2119 },
2120 returns => {
2121 type => 'string',
2122 },
2123 code => sub {
2124 my ($param) = @_;
2125
2126 my $rpcenv = PVE::RPCEnvironment::get();
2127 my $authuser = $rpcenv->get_user();
2128 my $vmid = $param->{vmid};
2129
2130 my $skiplock = $param->{skiplock};
2131 raise_param_exc({ skiplock => "Only root may use this option." })
2132 if $skiplock && $authuser ne 'root@pam';
2133
2134 my $early_checks = sub {
2135 # test if VM exists
2136 my $conf = PVE::QemuConfig->load_config($vmid);
2137 PVE::QemuConfig->check_protection($conf, "can't remove VM $vmid");
2138
2139 my $ha_managed = PVE::HA::Config::service_is_configured("vm:$vmid");
2140
2141 if (!$param->{purge}) {
2142 die "unable to remove VM $vmid - used in HA resources and purge parameter not set.\n"
2143 if $ha_managed;
2144 # don't allow destroy if with replication jobs but no purge param
2145 my $repl_conf = PVE::ReplicationConfig->new();
2146 $repl_conf->check_for_existing_jobs($vmid);
2147 }
2148
2149 die "VM $vmid is running - destroy failed\n"
2150 if PVE::QemuServer::check_running($vmid);
2151
2152 return $ha_managed;
2153 };
2154
2155 $early_checks->();
2156
2157 my $realcmd = sub {
2158 my $upid = shift;
2159
2160 my $storecfg = PVE::Storage::config();
2161
2162 syslog('info', "destroy VM $vmid: $upid\n");
2163 PVE::QemuConfig->lock_config($vmid, sub {
2164 # repeat, config might have changed
2165 my $ha_managed = $early_checks->();
2166
2167 my $purge_unreferenced = $param->{'destroy-unreferenced-disks'};
2168
2169 PVE::QemuServer::destroy_vm(
2170 $storecfg,
2171 $vmid,
2172 $skiplock, { lock => 'destroyed' },
2173 $purge_unreferenced,
2174 );
2175
2176 PVE::AccessControl::remove_vm_access($vmid);
2177 PVE::Firewall::remove_vmfw_conf($vmid);
2178 if ($param->{purge}) {
2179 print "purging VM $vmid from related configurations..\n";
2180 PVE::ReplicationConfig::remove_vmid_jobs($vmid);
2181 PVE::VZDump::Plugin::remove_vmid_from_backup_jobs($vmid);
2182
2183 if ($ha_managed) {
2184 PVE::HA::Config::delete_service_from_config("vm:$vmid");
2185 print "NOTE: removed VM $vmid from HA resource configuration.\n";
2186 }
2187 }
2188
2189 # only now remove the zombie config, else we can have reuse race
2190 PVE::QemuConfig->destroy_config($vmid);
2191 });
2192 };
2193
2194 return $rpcenv->fork_worker('qmdestroy', $vmid, $authuser, $realcmd);
2195 }});
2196
2197 __PACKAGE__->register_method({
2198 name => 'unlink',
2199 path => '{vmid}/unlink',
2200 method => 'PUT',
2201 protected => 1,
2202 proxyto => 'node',
2203 description => "Unlink/delete disk images.",
2204 permissions => {
2205 check => [ 'perm', '/vms/{vmid}', ['VM.Config.Disk']],
2206 },
2207 parameters => {
2208 additionalProperties => 0,
2209 properties => {
2210 node => get_standard_option('pve-node'),
2211 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
2212 idlist => {
2213 type => 'string', format => 'pve-configid-list',
2214 description => "A list of disk IDs you want to delete.",
2215 },
2216 force => {
2217 type => 'boolean',
2218 description => $opt_force_description,
2219 optional => 1,
2220 },
2221 },
2222 },
2223 returns => { type => 'null'},
2224 code => sub {
2225 my ($param) = @_;
2226
2227 $param->{delete} = extract_param($param, 'idlist');
2228
2229 __PACKAGE__->update_vm($param);
2230
2231 return;
2232 }});
2233
2234 # uses good entropy, each char is limited to 6 bit to get printable chars simply
2235 my $gen_rand_chars = sub {
2236 my ($length) = @_;
2237
2238 die "invalid length $length" if $length < 1;
2239
2240 my $min = ord('!'); # first printable ascii
2241
2242 my $rand_bytes = Crypt::OpenSSL::Random::random_bytes($length);
2243 die "failed to generate random bytes!\n"
2244 if !$rand_bytes;
2245
2246 my $str = join('', map { chr((ord($_) & 0x3F) + $min) } split('', $rand_bytes));
2247
2248 return $str;
2249 };
2250
2251 my $sslcert;
2252
2253 __PACKAGE__->register_method({
2254 name => 'vncproxy',
2255 path => '{vmid}/vncproxy',
2256 method => 'POST',
2257 protected => 1,
2258 permissions => {
2259 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
2260 },
2261 description => "Creates a TCP VNC proxy connections.",
2262 parameters => {
2263 additionalProperties => 0,
2264 properties => {
2265 node => get_standard_option('pve-node'),
2266 vmid => get_standard_option('pve-vmid'),
2267 websocket => {
2268 optional => 1,
2269 type => 'boolean',
2270 description => "starts websockify instead of vncproxy",
2271 },
2272 'generate-password' => {
2273 optional => 1,
2274 type => 'boolean',
2275 default => 0,
2276 description => "Generates a random password to be used as ticket instead of the API ticket.",
2277 },
2278 },
2279 },
2280 returns => {
2281 additionalProperties => 0,
2282 properties => {
2283 user => { type => 'string' },
2284 ticket => { type => 'string' },
2285 password => {
2286 optional => 1,
2287 description => "Returned if requested with 'generate-password' param."
2288 ." Consists of printable ASCII characters ('!' .. '~').",
2289 type => 'string',
2290 },
2291 cert => { type => 'string' },
2292 port => { type => 'integer' },
2293 upid => { type => 'string' },
2294 },
2295 },
2296 code => sub {
2297 my ($param) = @_;
2298
2299 my $rpcenv = PVE::RPCEnvironment::get();
2300
2301 my $authuser = $rpcenv->get_user();
2302
2303 my $vmid = $param->{vmid};
2304 my $node = $param->{node};
2305 my $websocket = $param->{websocket};
2306
2307 my $conf = PVE::QemuConfig->load_config($vmid, $node); # check if VM exists
2308
2309 my $serial;
2310 if ($conf->{vga}) {
2311 my $vga = PVE::QemuServer::parse_vga($conf->{vga});
2312 $serial = $vga->{type} if $vga->{type} =~ m/^serial\d+$/;
2313 }
2314
2315 my $authpath = "/vms/$vmid";
2316
2317 my $ticket = PVE::AccessControl::assemble_vnc_ticket($authuser, $authpath);
2318 my $password = $ticket;
2319 if ($param->{'generate-password'}) {
2320 $password = $gen_rand_chars->(8);
2321 }
2322
2323 $sslcert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192)
2324 if !$sslcert;
2325
2326 my $family;
2327 my $remcmd = [];
2328
2329 if ($node ne 'localhost' && $node ne PVE::INotify::nodename()) {
2330 (undef, $family) = PVE::Cluster::remote_node_ip($node);
2331 my $sshinfo = PVE::SSHInfo::get_ssh_info($node);
2332 # NOTE: kvm VNC traffic is already TLS encrypted or is known unsecure
2333 $remcmd = PVE::SSHInfo::ssh_info_to_command($sshinfo, defined($serial) ? '-t' : '-T');
2334 } else {
2335 $family = PVE::Tools::get_host_address_family($node);
2336 }
2337
2338 my $port = PVE::Tools::next_vnc_port($family);
2339
2340 my $timeout = 10;
2341
2342 my $realcmd = sub {
2343 my $upid = shift;
2344
2345 syslog('info', "starting vnc proxy $upid\n");
2346
2347 my $cmd;
2348
2349 if (defined($serial)) {
2350
2351 my $termcmd = [ '/usr/sbin/qm', 'terminal', $vmid, '-iface', $serial, '-escape', '0' ];
2352
2353 $cmd = ['/usr/bin/vncterm', '-rfbport', $port,
2354 '-timeout', $timeout, '-authpath', $authpath,
2355 '-perm', 'Sys.Console'];
2356
2357 if ($param->{websocket}) {
2358 $ENV{PVE_VNC_TICKET} = $password; # pass ticket to vncterm
2359 push @$cmd, '-notls', '-listen', 'localhost';
2360 }
2361
2362 push @$cmd, '-c', @$remcmd, @$termcmd;
2363
2364 PVE::Tools::run_command($cmd);
2365
2366 } else {
2367
2368 $ENV{LC_PVE_TICKET} = $password if $websocket; # set ticket with "qm vncproxy"
2369
2370 $cmd = [@$remcmd, "/usr/sbin/qm", 'vncproxy', $vmid];
2371
2372 my $sock = IO::Socket::IP->new(
2373 ReuseAddr => 1,
2374 Listen => 1,
2375 LocalPort => $port,
2376 Proto => 'tcp',
2377 GetAddrInfoFlags => 0,
2378 ) or die "failed to create socket: $!\n";
2379 # Inside the worker we shouldn't have any previous alarms
2380 # running anyway...:
2381 alarm(0);
2382 local $SIG{ALRM} = sub { die "connection timed out\n" };
2383 alarm $timeout;
2384 accept(my $cli, $sock) or die "connection failed: $!\n";
2385 alarm(0);
2386 close($sock);
2387 if (PVE::Tools::run_command($cmd,
2388 output => '>&'.fileno($cli),
2389 input => '<&'.fileno($cli),
2390 noerr => 1) != 0)
2391 {
2392 die "Failed to run vncproxy.\n";
2393 }
2394 }
2395
2396 return;
2397 };
2398
2399 my $upid = $rpcenv->fork_worker('vncproxy', $vmid, $authuser, $realcmd, 1);
2400
2401 PVE::Tools::wait_for_vnc_port($port);
2402
2403 my $res = {
2404 user => $authuser,
2405 ticket => $ticket,
2406 port => $port,
2407 upid => $upid,
2408 cert => $sslcert,
2409 };
2410 $res->{password} = $password if $param->{'generate-password'};
2411
2412 return $res;
2413 }});
2414
2415 __PACKAGE__->register_method({
2416 name => 'termproxy',
2417 path => '{vmid}/termproxy',
2418 method => 'POST',
2419 protected => 1,
2420 permissions => {
2421 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
2422 },
2423 description => "Creates a TCP proxy connections.",
2424 parameters => {
2425 additionalProperties => 0,
2426 properties => {
2427 node => get_standard_option('pve-node'),
2428 vmid => get_standard_option('pve-vmid'),
2429 serial=> {
2430 optional => 1,
2431 type => 'string',
2432 enum => [qw(serial0 serial1 serial2 serial3)],
2433 description => "opens a serial terminal (defaults to display)",
2434 },
2435 },
2436 },
2437 returns => {
2438 additionalProperties => 0,
2439 properties => {
2440 user => { type => 'string' },
2441 ticket => { type => 'string' },
2442 port => { type => 'integer' },
2443 upid => { type => 'string' },
2444 },
2445 },
2446 code => sub {
2447 my ($param) = @_;
2448
2449 my $rpcenv = PVE::RPCEnvironment::get();
2450
2451 my $authuser = $rpcenv->get_user();
2452
2453 my $vmid = $param->{vmid};
2454 my $node = $param->{node};
2455 my $serial = $param->{serial};
2456
2457 my $conf = PVE::QemuConfig->load_config($vmid, $node); # check if VM exists
2458
2459 if (!defined($serial)) {
2460 if ($conf->{vga}) {
2461 my $vga = PVE::QemuServer::parse_vga($conf->{vga});
2462 $serial = $vga->{type} if $vga->{type} =~ m/^serial\d+$/;
2463 }
2464 }
2465
2466 my $authpath = "/vms/$vmid";
2467
2468 my $ticket = PVE::AccessControl::assemble_vnc_ticket($authuser, $authpath);
2469
2470 my $family;
2471 my $remcmd = [];
2472
2473 if ($node ne 'localhost' && $node ne PVE::INotify::nodename()) {
2474 (undef, $family) = PVE::Cluster::remote_node_ip($node);
2475 my $sshinfo = PVE::SSHInfo::get_ssh_info($node);
2476 $remcmd = PVE::SSHInfo::ssh_info_to_command($sshinfo, '-t');
2477 push @$remcmd, '--';
2478 } else {
2479 $family = PVE::Tools::get_host_address_family($node);
2480 }
2481
2482 my $port = PVE::Tools::next_vnc_port($family);
2483
2484 my $termcmd = [ '/usr/sbin/qm', 'terminal', $vmid, '-escape', '0'];
2485 push @$termcmd, '-iface', $serial if $serial;
2486
2487 my $realcmd = sub {
2488 my $upid = shift;
2489
2490 syslog('info', "starting qemu termproxy $upid\n");
2491
2492 my $cmd = ['/usr/bin/termproxy', $port, '--path', $authpath,
2493 '--perm', 'VM.Console', '--'];
2494 push @$cmd, @$remcmd, @$termcmd;
2495
2496 PVE::Tools::run_command($cmd);
2497 };
2498
2499 my $upid = $rpcenv->fork_worker('vncproxy', $vmid, $authuser, $realcmd, 1);
2500
2501 PVE::Tools::wait_for_vnc_port($port);
2502
2503 return {
2504 user => $authuser,
2505 ticket => $ticket,
2506 port => $port,
2507 upid => $upid,
2508 };
2509 }});
2510
2511 __PACKAGE__->register_method({
2512 name => 'vncwebsocket',
2513 path => '{vmid}/vncwebsocket',
2514 method => 'GET',
2515 permissions => {
2516 description => "You also need to pass a valid ticket (vncticket).",
2517 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
2518 },
2519 description => "Opens a weksocket for VNC traffic.",
2520 parameters => {
2521 additionalProperties => 0,
2522 properties => {
2523 node => get_standard_option('pve-node'),
2524 vmid => get_standard_option('pve-vmid'),
2525 vncticket => {
2526 description => "Ticket from previous call to vncproxy.",
2527 type => 'string',
2528 maxLength => 512,
2529 },
2530 port => {
2531 description => "Port number returned by previous vncproxy call.",
2532 type => 'integer',
2533 minimum => 5900,
2534 maximum => 5999,
2535 },
2536 },
2537 },
2538 returns => {
2539 type => "object",
2540 properties => {
2541 port => { type => 'string' },
2542 },
2543 },
2544 code => sub {
2545 my ($param) = @_;
2546
2547 my $rpcenv = PVE::RPCEnvironment::get();
2548
2549 my $authuser = $rpcenv->get_user();
2550
2551 my $vmid = $param->{vmid};
2552 my $node = $param->{node};
2553
2554 my $authpath = "/vms/$vmid";
2555
2556 PVE::AccessControl::verify_vnc_ticket($param->{vncticket}, $authuser, $authpath);
2557
2558 my $conf = PVE::QemuConfig->load_config($vmid, $node); # VM exists ?
2559
2560 # Note: VNC ports are acessible from outside, so we do not gain any
2561 # security if we verify that $param->{port} belongs to VM $vmid. This
2562 # check is done by verifying the VNC ticket (inside VNC protocol).
2563
2564 my $port = $param->{port};
2565
2566 return { port => $port };
2567 }});
2568
2569 __PACKAGE__->register_method({
2570 name => 'spiceproxy',
2571 path => '{vmid}/spiceproxy',
2572 method => 'POST',
2573 protected => 1,
2574 proxyto => 'node',
2575 permissions => {
2576 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
2577 },
2578 description => "Returns a SPICE configuration to connect to the VM.",
2579 parameters => {
2580 additionalProperties => 0,
2581 properties => {
2582 node => get_standard_option('pve-node'),
2583 vmid => get_standard_option('pve-vmid'),
2584 proxy => get_standard_option('spice-proxy', { optional => 1 }),
2585 },
2586 },
2587 returns => get_standard_option('remote-viewer-config'),
2588 code => sub {
2589 my ($param) = @_;
2590
2591 my $rpcenv = PVE::RPCEnvironment::get();
2592
2593 my $authuser = $rpcenv->get_user();
2594
2595 my $vmid = $param->{vmid};
2596 my $node = $param->{node};
2597 my $proxy = $param->{proxy};
2598
2599 my $conf = PVE::QemuConfig->load_config($vmid, $node);
2600 my $title = "VM $vmid";
2601 $title .= " - ". $conf->{name} if $conf->{name};
2602
2603 my $port = PVE::QemuServer::spice_port($vmid);
2604
2605 my ($ticket, undef, $remote_viewer_config) =
2606 PVE::AccessControl::remote_viewer_config($authuser, $vmid, $node, $proxy, $title, $port);
2607
2608 mon_cmd($vmid, "set_password", protocol => 'spice', password => $ticket);
2609 mon_cmd($vmid, "expire_password", protocol => 'spice', time => "+30");
2610
2611 return $remote_viewer_config;
2612 }});
2613
2614 __PACKAGE__->register_method({
2615 name => 'vmcmdidx',
2616 path => '{vmid}/status',
2617 method => 'GET',
2618 proxyto => 'node',
2619 description => "Directory index",
2620 permissions => {
2621 user => 'all',
2622 },
2623 parameters => {
2624 additionalProperties => 0,
2625 properties => {
2626 node => get_standard_option('pve-node'),
2627 vmid => get_standard_option('pve-vmid'),
2628 },
2629 },
2630 returns => {
2631 type => 'array',
2632 items => {
2633 type => "object",
2634 properties => {
2635 subdir => { type => 'string' },
2636 },
2637 },
2638 links => [ { rel => 'child', href => "{subdir}" } ],
2639 },
2640 code => sub {
2641 my ($param) = @_;
2642
2643 # test if VM exists
2644 my $conf = PVE::QemuConfig->load_config($param->{vmid});
2645
2646 my $res = [
2647 { subdir => 'current' },
2648 { subdir => 'start' },
2649 { subdir => 'stop' },
2650 { subdir => 'reset' },
2651 { subdir => 'shutdown' },
2652 { subdir => 'suspend' },
2653 { subdir => 'reboot' },
2654 ];
2655
2656 return $res;
2657 }});
2658
2659 __PACKAGE__->register_method({
2660 name => 'vm_status',
2661 path => '{vmid}/status/current',
2662 method => 'GET',
2663 proxyto => 'node',
2664 protected => 1, # qemu pid files are only readable by root
2665 description => "Get virtual machine status.",
2666 permissions => {
2667 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
2668 },
2669 parameters => {
2670 additionalProperties => 0,
2671 properties => {
2672 node => get_standard_option('pve-node'),
2673 vmid => get_standard_option('pve-vmid'),
2674 },
2675 },
2676 returns => {
2677 type => 'object',
2678 properties => {
2679 %$PVE::QemuServer::vmstatus_return_properties,
2680 ha => {
2681 description => "HA manager service status.",
2682 type => 'object',
2683 },
2684 spice => {
2685 description => "QEMU VGA configuration supports spice.",
2686 type => 'boolean',
2687 optional => 1,
2688 },
2689 agent => {
2690 description => "QEMU Guest Agent is enabled in config.",
2691 type => 'boolean',
2692 optional => 1,
2693 },
2694 },
2695 },
2696 code => sub {
2697 my ($param) = @_;
2698
2699 # test if VM exists
2700 my $conf = PVE::QemuConfig->load_config($param->{vmid});
2701
2702 my $vmstatus = PVE::QemuServer::vmstatus($param->{vmid}, 1);
2703 my $status = $vmstatus->{$param->{vmid}};
2704
2705 $status->{ha} = PVE::HA::Config::get_service_status("vm:$param->{vmid}");
2706
2707 if ($conf->{vga}) {
2708 my $vga = PVE::QemuServer::parse_vga($conf->{vga});
2709 my $spice = defined($vga->{type}) && $vga->{type} =~ /^virtio/;
2710 $spice ||= PVE::QemuServer::vga_conf_has_spice($conf->{vga});
2711 $status->{spice} = 1 if $spice;
2712 }
2713 $status->{agent} = 1 if PVE::QemuServer::get_qga_key($conf, 'enabled');
2714
2715 return $status;
2716 }});
2717
2718 __PACKAGE__->register_method({
2719 name => 'vm_start',
2720 path => '{vmid}/status/start',
2721 method => 'POST',
2722 protected => 1,
2723 proxyto => 'node',
2724 description => "Start virtual machine.",
2725 permissions => {
2726 check => ['perm', '/vms/{vmid}', [ 'VM.PowerMgmt' ]],
2727 },
2728 parameters => {
2729 additionalProperties => 0,
2730 properties => {
2731 node => get_standard_option('pve-node'),
2732 vmid => get_standard_option('pve-vmid',
2733 { completion => \&PVE::QemuServer::complete_vmid_stopped }),
2734 skiplock => get_standard_option('skiplock'),
2735 stateuri => get_standard_option('pve-qm-stateuri'),
2736 migratedfrom => get_standard_option('pve-node',{ optional => 1 }),
2737 migration_type => {
2738 type => 'string',
2739 enum => ['secure', 'insecure'],
2740 description => "Migration traffic is encrypted using an SSH " .
2741 "tunnel by default. On secure, completely private networks " .
2742 "this can be disabled to increase performance.",
2743 optional => 1,
2744 },
2745 migration_network => {
2746 type => 'string', format => 'CIDR',
2747 description => "CIDR of the (sub) network that is used for migration.",
2748 optional => 1,
2749 },
2750 machine => get_standard_option('pve-qemu-machine'),
2751 'force-cpu' => {
2752 description => "Override QEMU's -cpu argument with the given string.",
2753 type => 'string',
2754 optional => 1,
2755 },
2756 targetstorage => get_standard_option('pve-targetstorage'),
2757 timeout => {
2758 description => "Wait maximal timeout seconds.",
2759 type => 'integer',
2760 minimum => 0,
2761 default => 'max(30, vm memory in GiB)',
2762 optional => 1,
2763 },
2764 },
2765 },
2766 returns => {
2767 type => 'string',
2768 },
2769 code => sub {
2770 my ($param) = @_;
2771
2772 my $rpcenv = PVE::RPCEnvironment::get();
2773 my $authuser = $rpcenv->get_user();
2774
2775 my $node = extract_param($param, 'node');
2776 my $vmid = extract_param($param, 'vmid');
2777 my $timeout = extract_param($param, 'timeout');
2778 my $machine = extract_param($param, 'machine');
2779
2780 my $get_root_param = sub {
2781 my $value = extract_param($param, $_[0]);
2782 raise_param_exc({ "$_[0]" => "Only root may use this option." })
2783 if $value && $authuser ne 'root@pam';
2784 return $value;
2785 };
2786
2787 my $stateuri = $get_root_param->('stateuri');
2788 my $skiplock = $get_root_param->('skiplock');
2789 my $migratedfrom = $get_root_param->('migratedfrom');
2790 my $migration_type = $get_root_param->('migration_type');
2791 my $migration_network = $get_root_param->('migration_network');
2792 my $targetstorage = $get_root_param->('targetstorage');
2793 my $force_cpu = $get_root_param->('force-cpu');
2794
2795 my $storagemap;
2796
2797 if ($targetstorage) {
2798 raise_param_exc({ targetstorage => "targetstorage can only by used with migratedfrom." })
2799 if !$migratedfrom;
2800 $storagemap = eval { PVE::JSONSchema::parse_idmap($targetstorage, 'pve-storage-id') };
2801 raise_param_exc({ targetstorage => "failed to parse storage map: $@" })
2802 if $@;
2803 }
2804
2805 # read spice ticket from STDIN
2806 my $spice_ticket;
2807 my $nbd_protocol_version = 0;
2808 my $replicated_volumes = {};
2809 my $offline_volumes = {};
2810 if ($stateuri && ($stateuri eq 'tcp' || $stateuri eq 'unix') && $migratedfrom && ($rpcenv->{type} eq 'cli')) {
2811 while (defined(my $line = <STDIN>)) {
2812 chomp $line;
2813 if ($line =~ m/^spice_ticket: (.+)$/) {
2814 $spice_ticket = $1;
2815 } elsif ($line =~ m/^nbd_protocol_version: (\d+)$/) {
2816 $nbd_protocol_version = $1;
2817 } elsif ($line =~ m/^replicated_volume: (.*)$/) {
2818 $replicated_volumes->{$1} = 1;
2819 } elsif ($line =~ m/^tpmstate0: (.*)$/) { # Deprecated, use offline_volume instead
2820 $offline_volumes->{tpmstate0} = $1;
2821 } elsif ($line =~ m/^offline_volume: ([^:]+): (.*)$/) {
2822 $offline_volumes->{$1} = $2;
2823 } elsif (!$spice_ticket) {
2824 # fallback for old source node
2825 $spice_ticket = $line;
2826 } else {
2827 warn "unknown 'start' parameter on STDIN: '$line'\n";
2828 }
2829 }
2830 }
2831
2832 PVE::Cluster::check_cfs_quorum();
2833
2834 my $storecfg = PVE::Storage::config();
2835
2836 if (PVE::HA::Config::vm_is_ha_managed($vmid) && !$stateuri && $rpcenv->{type} ne 'ha') {
2837 my $hacmd = sub {
2838 my $upid = shift;
2839
2840 print "Requesting HA start for VM $vmid\n";
2841
2842 my $cmd = ['ha-manager', 'set', "vm:$vmid", '--state', 'started'];
2843 PVE::Tools::run_command($cmd);
2844 return;
2845 };
2846
2847 return $rpcenv->fork_worker('hastart', $vmid, $authuser, $hacmd);
2848
2849 } else {
2850
2851 my $realcmd = sub {
2852 my $upid = shift;
2853
2854 syslog('info', "start VM $vmid: $upid\n");
2855
2856 my $migrate_opts = {
2857 migratedfrom => $migratedfrom,
2858 spice_ticket => $spice_ticket,
2859 network => $migration_network,
2860 type => $migration_type,
2861 storagemap => $storagemap,
2862 nbd_proto_version => $nbd_protocol_version,
2863 replicated_volumes => $replicated_volumes,
2864 offline_volumes => $offline_volumes,
2865 };
2866
2867 my $params = {
2868 statefile => $stateuri,
2869 skiplock => $skiplock,
2870 forcemachine => $machine,
2871 timeout => $timeout,
2872 forcecpu => $force_cpu,
2873 };
2874
2875 PVE::QemuServer::vm_start($storecfg, $vmid, $params, $migrate_opts);
2876 return;
2877 };
2878
2879 return $rpcenv->fork_worker('qmstart', $vmid, $authuser, $realcmd);
2880 }
2881 }});
2882
2883 __PACKAGE__->register_method({
2884 name => 'vm_stop',
2885 path => '{vmid}/status/stop',
2886 method => 'POST',
2887 protected => 1,
2888 proxyto => 'node',
2889 description => "Stop virtual machine. The qemu process will exit immediately. This" .
2890 "is akin to pulling the power plug of a running computer and may damage the VM data",
2891 permissions => {
2892 check => ['perm', '/vms/{vmid}', [ 'VM.PowerMgmt' ]],
2893 },
2894 parameters => {
2895 additionalProperties => 0,
2896 properties => {
2897 node => get_standard_option('pve-node'),
2898 vmid => get_standard_option('pve-vmid',
2899 { completion => \&PVE::QemuServer::complete_vmid_running }),
2900 skiplock => get_standard_option('skiplock'),
2901 migratedfrom => get_standard_option('pve-node', { optional => 1 }),
2902 timeout => {
2903 description => "Wait maximal timeout seconds.",
2904 type => 'integer',
2905 minimum => 0,
2906 optional => 1,
2907 },
2908 keepActive => {
2909 description => "Do not deactivate storage volumes.",
2910 type => 'boolean',
2911 optional => 1,
2912 default => 0,
2913 }
2914 },
2915 },
2916 returns => {
2917 type => 'string',
2918 },
2919 code => sub {
2920 my ($param) = @_;
2921
2922 my $rpcenv = PVE::RPCEnvironment::get();
2923 my $authuser = $rpcenv->get_user();
2924
2925 my $node = extract_param($param, 'node');
2926 my $vmid = extract_param($param, 'vmid');
2927
2928 my $skiplock = extract_param($param, 'skiplock');
2929 raise_param_exc({ skiplock => "Only root may use this option." })
2930 if $skiplock && $authuser ne 'root@pam';
2931
2932 my $keepActive = extract_param($param, 'keepActive');
2933 raise_param_exc({ keepActive => "Only root may use this option." })
2934 if $keepActive && $authuser ne 'root@pam';
2935
2936 my $migratedfrom = extract_param($param, 'migratedfrom');
2937 raise_param_exc({ migratedfrom => "Only root may use this option." })
2938 if $migratedfrom && $authuser ne 'root@pam';
2939
2940
2941 my $storecfg = PVE::Storage::config();
2942
2943 if (PVE::HA::Config::vm_is_ha_managed($vmid) && ($rpcenv->{type} ne 'ha') && !defined($migratedfrom)) {
2944
2945 my $hacmd = sub {
2946 my $upid = shift;
2947
2948 print "Requesting HA stop for VM $vmid\n";
2949
2950 my $cmd = ['ha-manager', 'crm-command', 'stop', "vm:$vmid", '0'];
2951 PVE::Tools::run_command($cmd);
2952 return;
2953 };
2954
2955 return $rpcenv->fork_worker('hastop', $vmid, $authuser, $hacmd);
2956
2957 } else {
2958 my $realcmd = sub {
2959 my $upid = shift;
2960
2961 syslog('info', "stop VM $vmid: $upid\n");
2962
2963 PVE::QemuServer::vm_stop($storecfg, $vmid, $skiplock, 0,
2964 $param->{timeout}, 0, 1, $keepActive, $migratedfrom);
2965 return;
2966 };
2967
2968 return $rpcenv->fork_worker('qmstop', $vmid, $authuser, $realcmd);
2969 }
2970 }});
2971
2972 __PACKAGE__->register_method({
2973 name => 'vm_reset',
2974 path => '{vmid}/status/reset',
2975 method => 'POST',
2976 protected => 1,
2977 proxyto => 'node',
2978 description => "Reset virtual machine.",
2979 permissions => {
2980 check => ['perm', '/vms/{vmid}', [ 'VM.PowerMgmt' ]],
2981 },
2982 parameters => {
2983 additionalProperties => 0,
2984 properties => {
2985 node => get_standard_option('pve-node'),
2986 vmid => get_standard_option('pve-vmid',
2987 { completion => \&PVE::QemuServer::complete_vmid_running }),
2988 skiplock => get_standard_option('skiplock'),
2989 },
2990 },
2991 returns => {
2992 type => 'string',
2993 },
2994 code => sub {
2995 my ($param) = @_;
2996
2997 my $rpcenv = PVE::RPCEnvironment::get();
2998
2999 my $authuser = $rpcenv->get_user();
3000
3001 my $node = extract_param($param, 'node');
3002
3003 my $vmid = extract_param($param, 'vmid');
3004
3005 my $skiplock = extract_param($param, 'skiplock');
3006 raise_param_exc({ skiplock => "Only root may use this option." })
3007 if $skiplock && $authuser ne 'root@pam';
3008
3009 die "VM $vmid not running\n" if !PVE::QemuServer::check_running($vmid);
3010
3011 my $realcmd = sub {
3012 my $upid = shift;
3013
3014 PVE::QemuServer::vm_reset($vmid, $skiplock);
3015
3016 return;
3017 };
3018
3019 return $rpcenv->fork_worker('qmreset', $vmid, $authuser, $realcmd);
3020 }});
3021
3022 __PACKAGE__->register_method({
3023 name => 'vm_shutdown',
3024 path => '{vmid}/status/shutdown',
3025 method => 'POST',
3026 protected => 1,
3027 proxyto => 'node',
3028 description => "Shutdown virtual machine. This is similar to pressing the power button on a physical machine." .
3029 "This will send an ACPI event for the guest OS, which should then proceed to a clean shutdown.",
3030 permissions => {
3031 check => ['perm', '/vms/{vmid}', [ 'VM.PowerMgmt' ]],
3032 },
3033 parameters => {
3034 additionalProperties => 0,
3035 properties => {
3036 node => get_standard_option('pve-node'),
3037 vmid => get_standard_option('pve-vmid',
3038 { completion => \&PVE::QemuServer::complete_vmid_running }),
3039 skiplock => get_standard_option('skiplock'),
3040 timeout => {
3041 description => "Wait maximal timeout seconds.",
3042 type => 'integer',
3043 minimum => 0,
3044 optional => 1,
3045 },
3046 forceStop => {
3047 description => "Make sure the VM stops.",
3048 type => 'boolean',
3049 optional => 1,
3050 default => 0,
3051 },
3052 keepActive => {
3053 description => "Do not deactivate storage volumes.",
3054 type => 'boolean',
3055 optional => 1,
3056 default => 0,
3057 }
3058 },
3059 },
3060 returns => {
3061 type => 'string',
3062 },
3063 code => sub {
3064 my ($param) = @_;
3065
3066 my $rpcenv = PVE::RPCEnvironment::get();
3067 my $authuser = $rpcenv->get_user();
3068
3069 my $node = extract_param($param, 'node');
3070 my $vmid = extract_param($param, 'vmid');
3071
3072 my $skiplock = extract_param($param, 'skiplock');
3073 raise_param_exc({ skiplock => "Only root may use this option." })
3074 if $skiplock && $authuser ne 'root@pam';
3075
3076 my $keepActive = extract_param($param, 'keepActive');
3077 raise_param_exc({ keepActive => "Only root may use this option." })
3078 if $keepActive && $authuser ne 'root@pam';
3079
3080 my $storecfg = PVE::Storage::config();
3081
3082 my $shutdown = 1;
3083
3084 # if vm is paused, do not shutdown (but stop if forceStop = 1)
3085 # otherwise, we will infer a shutdown command, but run into the timeout,
3086 # then when the vm is resumed, it will instantly shutdown
3087 #
3088 # checking the qmp status here to get feedback to the gui/cli/api
3089 # and the status query should not take too long
3090 if (PVE::QemuServer::vm_is_paused($vmid)) {
3091 if ($param->{forceStop}) {
3092 warn "VM is paused - stop instead of shutdown\n";
3093 $shutdown = 0;
3094 } else {
3095 die "VM is paused - cannot shutdown\n";
3096 }
3097 }
3098
3099 if (PVE::HA::Config::vm_is_ha_managed($vmid) && $rpcenv->{type} ne 'ha') {
3100
3101 my $timeout = $param->{timeout} // 60;
3102 my $hacmd = sub {
3103 my $upid = shift;
3104
3105 print "Requesting HA stop for VM $vmid\n";
3106
3107 my $cmd = ['ha-manager', 'crm-command', 'stop', "vm:$vmid", "$timeout"];
3108 PVE::Tools::run_command($cmd);
3109 return;
3110 };
3111
3112 return $rpcenv->fork_worker('hastop', $vmid, $authuser, $hacmd);
3113
3114 } else {
3115
3116 my $realcmd = sub {
3117 my $upid = shift;
3118
3119 syslog('info', "shutdown VM $vmid: $upid\n");
3120
3121 PVE::QemuServer::vm_stop($storecfg, $vmid, $skiplock, 0, $param->{timeout},
3122 $shutdown, $param->{forceStop}, $keepActive);
3123 return;
3124 };
3125
3126 return $rpcenv->fork_worker('qmshutdown', $vmid, $authuser, $realcmd);
3127 }
3128 }});
3129
3130 __PACKAGE__->register_method({
3131 name => 'vm_reboot',
3132 path => '{vmid}/status/reboot',
3133 method => 'POST',
3134 protected => 1,
3135 proxyto => 'node',
3136 description => "Reboot the VM by shutting it down, and starting it again. Applies pending changes.",
3137 permissions => {
3138 check => ['perm', '/vms/{vmid}', [ 'VM.PowerMgmt' ]],
3139 },
3140 parameters => {
3141 additionalProperties => 0,
3142 properties => {
3143 node => get_standard_option('pve-node'),
3144 vmid => get_standard_option('pve-vmid',
3145 { completion => \&PVE::QemuServer::complete_vmid_running }),
3146 timeout => {
3147 description => "Wait maximal timeout seconds for the shutdown.",
3148 type => 'integer',
3149 minimum => 0,
3150 optional => 1,
3151 },
3152 },
3153 },
3154 returns => {
3155 type => 'string',
3156 },
3157 code => sub {
3158 my ($param) = @_;
3159
3160 my $rpcenv = PVE::RPCEnvironment::get();
3161 my $authuser = $rpcenv->get_user();
3162
3163 my $node = extract_param($param, 'node');
3164 my $vmid = extract_param($param, 'vmid');
3165
3166 die "VM is paused - cannot shutdown\n" if PVE::QemuServer::vm_is_paused($vmid);
3167
3168 die "VM $vmid not running\n" if !PVE::QemuServer::check_running($vmid);
3169
3170 my $realcmd = sub {
3171 my $upid = shift;
3172
3173 syslog('info', "requesting reboot of VM $vmid: $upid\n");
3174 PVE::QemuServer::vm_reboot($vmid, $param->{timeout});
3175 return;
3176 };
3177
3178 return $rpcenv->fork_worker('qmreboot', $vmid, $authuser, $realcmd);
3179 }});
3180
3181 __PACKAGE__->register_method({
3182 name => 'vm_suspend',
3183 path => '{vmid}/status/suspend',
3184 method => 'POST',
3185 protected => 1,
3186 proxyto => 'node',
3187 description => "Suspend virtual machine.",
3188 permissions => {
3189 description => "You need 'VM.PowerMgmt' on /vms/{vmid}, and if you have set 'todisk',".
3190 " you need also 'VM.Config.Disk' on /vms/{vmid} and 'Datastore.AllocateSpace'".
3191 " on the storage for the vmstate.",
3192 check => ['perm', '/vms/{vmid}', [ 'VM.PowerMgmt' ]],
3193 },
3194 parameters => {
3195 additionalProperties => 0,
3196 properties => {
3197 node => get_standard_option('pve-node'),
3198 vmid => get_standard_option('pve-vmid',
3199 { completion => \&PVE::QemuServer::complete_vmid_running }),
3200 skiplock => get_standard_option('skiplock'),
3201 todisk => {
3202 type => 'boolean',
3203 default => 0,
3204 optional => 1,
3205 description => 'If set, suspends the VM to disk. Will be resumed on next VM start.',
3206 },
3207 statestorage => get_standard_option('pve-storage-id', {
3208 description => "The storage for the VM state",
3209 requires => 'todisk',
3210 optional => 1,
3211 completion => \&PVE::Storage::complete_storage_enabled,
3212 }),
3213 },
3214 },
3215 returns => {
3216 type => 'string',
3217 },
3218 code => sub {
3219 my ($param) = @_;
3220
3221 my $rpcenv = PVE::RPCEnvironment::get();
3222 my $authuser = $rpcenv->get_user();
3223
3224 my $node = extract_param($param, 'node');
3225 my $vmid = extract_param($param, 'vmid');
3226
3227 my $todisk = extract_param($param, 'todisk') // 0;
3228
3229 my $statestorage = extract_param($param, 'statestorage');
3230
3231 my $skiplock = extract_param($param, 'skiplock');
3232 raise_param_exc({ skiplock => "Only root may use this option." })
3233 if $skiplock && $authuser ne 'root@pam';
3234
3235 die "VM $vmid not running\n" if !PVE::QemuServer::check_running($vmid);
3236
3237 die "Cannot suspend HA managed VM to disk\n"
3238 if $todisk && PVE::HA::Config::vm_is_ha_managed($vmid);
3239
3240 # early check for storage permission, for better user feedback
3241 if ($todisk) {
3242 $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Disk']);
3243 my $conf = PVE::QemuConfig->load_config($vmid);
3244
3245 # cannot save the state of a non-virtualized PCIe device, so resume cannot really work
3246 for my $key (keys %$conf) {
3247 next if $key !~ /^hostpci\d+/;
3248 die "cannot suspend VM to disk due to passed-through PCI device(s), which lack the"
3249 ." possibility to save/restore their internal state\n";
3250 }
3251
3252 if (!$statestorage) {
3253 # get statestorage from config if none is given
3254 my $storecfg = PVE::Storage::config();
3255 $statestorage = PVE::QemuServer::find_vmstate_storage($conf, $storecfg);
3256 }
3257
3258 $rpcenv->check($authuser, "/storage/$statestorage", ['Datastore.AllocateSpace']);
3259 }
3260
3261 my $realcmd = sub {
3262 my $upid = shift;
3263
3264 syslog('info', "suspend VM $vmid: $upid\n");
3265
3266 PVE::QemuServer::vm_suspend($vmid, $skiplock, $todisk, $statestorage);
3267
3268 return;
3269 };
3270
3271 my $taskname = $todisk ? 'qmsuspend' : 'qmpause';
3272 return $rpcenv->fork_worker($taskname, $vmid, $authuser, $realcmd);
3273 }});
3274
3275 __PACKAGE__->register_method({
3276 name => 'vm_resume',
3277 path => '{vmid}/status/resume',
3278 method => 'POST',
3279 protected => 1,
3280 proxyto => 'node',
3281 description => "Resume virtual machine.",
3282 permissions => {
3283 check => ['perm', '/vms/{vmid}', [ 'VM.PowerMgmt' ]],
3284 },
3285 parameters => {
3286 additionalProperties => 0,
3287 properties => {
3288 node => get_standard_option('pve-node'),
3289 vmid => get_standard_option('pve-vmid',
3290 { completion => \&PVE::QemuServer::complete_vmid_running }),
3291 skiplock => get_standard_option('skiplock'),
3292 nocheck => { type => 'boolean', optional => 1 },
3293
3294 },
3295 },
3296 returns => {
3297 type => 'string',
3298 },
3299 code => sub {
3300 my ($param) = @_;
3301
3302 my $rpcenv = PVE::RPCEnvironment::get();
3303
3304 my $authuser = $rpcenv->get_user();
3305
3306 my $node = extract_param($param, 'node');
3307
3308 my $vmid = extract_param($param, 'vmid');
3309
3310 my $skiplock = extract_param($param, 'skiplock');
3311 raise_param_exc({ skiplock => "Only root may use this option." })
3312 if $skiplock && $authuser ne 'root@pam';
3313
3314 # nocheck is used as part of migration when config file might be still
3315 # be on source node
3316 my $nocheck = extract_param($param, 'nocheck');
3317 raise_param_exc({ nocheck => "Only root may use this option." })
3318 if $nocheck && $authuser ne 'root@pam';
3319
3320 my $to_disk_suspended;
3321 eval {
3322 PVE::QemuConfig->lock_config($vmid, sub {
3323 my $conf = PVE::QemuConfig->load_config($vmid);
3324 $to_disk_suspended = PVE::QemuConfig->has_lock($conf, 'suspended');
3325 });
3326 };
3327
3328 die "VM $vmid not running\n"
3329 if !$to_disk_suspended && !PVE::QemuServer::check_running($vmid, $nocheck);
3330
3331 my $realcmd = sub {
3332 my $upid = shift;
3333
3334 syslog('info', "resume VM $vmid: $upid\n");
3335
3336 if (!$to_disk_suspended) {
3337 PVE::QemuServer::vm_resume($vmid, $skiplock, $nocheck);
3338 } else {
3339 my $storecfg = PVE::Storage::config();
3340 PVE::QemuServer::vm_start($storecfg, $vmid, { skiplock => $skiplock });
3341 }
3342
3343 return;
3344 };
3345
3346 return $rpcenv->fork_worker('qmresume', $vmid, $authuser, $realcmd);
3347 }});
3348
3349 __PACKAGE__->register_method({
3350 name => 'vm_sendkey',
3351 path => '{vmid}/sendkey',
3352 method => 'PUT',
3353 protected => 1,
3354 proxyto => 'node',
3355 description => "Send key event to virtual machine.",
3356 permissions => {
3357 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
3358 },
3359 parameters => {
3360 additionalProperties => 0,
3361 properties => {
3362 node => get_standard_option('pve-node'),
3363 vmid => get_standard_option('pve-vmid',
3364 { completion => \&PVE::QemuServer::complete_vmid_running }),
3365 skiplock => get_standard_option('skiplock'),
3366 key => {
3367 description => "The key (qemu monitor encoding).",
3368 type => 'string'
3369 }
3370 },
3371 },
3372 returns => { type => 'null'},
3373 code => sub {
3374 my ($param) = @_;
3375
3376 my $rpcenv = PVE::RPCEnvironment::get();
3377
3378 my $authuser = $rpcenv->get_user();
3379
3380 my $node = extract_param($param, 'node');
3381
3382 my $vmid = extract_param($param, 'vmid');
3383
3384 my $skiplock = extract_param($param, 'skiplock');
3385 raise_param_exc({ skiplock => "Only root may use this option." })
3386 if $skiplock && $authuser ne 'root@pam';
3387
3388 PVE::QemuServer::vm_sendkey($vmid, $skiplock, $param->{key});
3389
3390 return;
3391 }});
3392
3393 __PACKAGE__->register_method({
3394 name => 'vm_feature',
3395 path => '{vmid}/feature',
3396 method => 'GET',
3397 proxyto => 'node',
3398 protected => 1,
3399 description => "Check if feature for virtual machine is available.",
3400 permissions => {
3401 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
3402 },
3403 parameters => {
3404 additionalProperties => 0,
3405 properties => {
3406 node => get_standard_option('pve-node'),
3407 vmid => get_standard_option('pve-vmid'),
3408 feature => {
3409 description => "Feature to check.",
3410 type => 'string',
3411 enum => [ 'snapshot', 'clone', 'copy' ],
3412 },
3413 snapname => get_standard_option('pve-snapshot-name', {
3414 optional => 1,
3415 }),
3416 },
3417 },
3418 returns => {
3419 type => "object",
3420 properties => {
3421 hasFeature => { type => 'boolean' },
3422 nodes => {
3423 type => 'array',
3424 items => { type => 'string' },
3425 }
3426 },
3427 },
3428 code => sub {
3429 my ($param) = @_;
3430
3431 my $node = extract_param($param, 'node');
3432
3433 my $vmid = extract_param($param, 'vmid');
3434
3435 my $snapname = extract_param($param, 'snapname');
3436
3437 my $feature = extract_param($param, 'feature');
3438
3439 my $running = PVE::QemuServer::check_running($vmid);
3440
3441 my $conf = PVE::QemuConfig->load_config($vmid);
3442
3443 if($snapname){
3444 my $snap = $conf->{snapshots}->{$snapname};
3445 die "snapshot '$snapname' does not exist\n" if !defined($snap);
3446 $conf = $snap;
3447 }
3448 my $storecfg = PVE::Storage::config();
3449
3450 my $nodelist = PVE::QemuServer::shared_nodes($conf, $storecfg);
3451 my $hasFeature = PVE::QemuConfig->has_feature($feature, $conf, $storecfg, $snapname, $running);
3452
3453 return {
3454 hasFeature => $hasFeature,
3455 nodes => [ keys %$nodelist ],
3456 };
3457 }});
3458
3459 __PACKAGE__->register_method({
3460 name => 'clone_vm',
3461 path => '{vmid}/clone',
3462 method => 'POST',
3463 protected => 1,
3464 proxyto => 'node',
3465 description => "Create a copy of virtual machine/template.",
3466 permissions => {
3467 description => "You need 'VM.Clone' permissions on /vms/{vmid}, and 'VM.Allocate' permissions " .
3468 "on /vms/{newid} (or on the VM pool /pool/{pool}). You also need " .
3469 "'Datastore.AllocateSpace' on any used storage and 'SDN.Use' on any used bridge/vnet",
3470 check =>
3471 [ 'and',
3472 ['perm', '/vms/{vmid}', [ 'VM.Clone' ]],
3473 [ 'or',
3474 [ 'perm', '/vms/{newid}', ['VM.Allocate']],
3475 [ 'perm', '/pool/{pool}', ['VM.Allocate'], require_param => 'pool'],
3476 ],
3477 ]
3478 },
3479 parameters => {
3480 additionalProperties => 0,
3481 properties => {
3482 node => get_standard_option('pve-node'),
3483 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
3484 newid => get_standard_option('pve-vmid', {
3485 completion => \&PVE::Cluster::complete_next_vmid,
3486 description => 'VMID for the clone.' }),
3487 name => {
3488 optional => 1,
3489 type => 'string', format => 'dns-name',
3490 description => "Set a name for the new VM.",
3491 },
3492 description => {
3493 optional => 1,
3494 type => 'string',
3495 description => "Description for the new VM.",
3496 },
3497 pool => {
3498 optional => 1,
3499 type => 'string', format => 'pve-poolid',
3500 description => "Add the new VM to the specified pool.",
3501 },
3502 snapname => get_standard_option('pve-snapshot-name', {
3503 optional => 1,
3504 }),
3505 storage => get_standard_option('pve-storage-id', {
3506 description => "Target storage for full clone.",
3507 optional => 1,
3508 }),
3509 'format' => {
3510 description => "Target format for file storage. Only valid for full clone.",
3511 type => 'string',
3512 optional => 1,
3513 enum => [ 'raw', 'qcow2', 'vmdk'],
3514 },
3515 full => {
3516 optional => 1,
3517 type => 'boolean',
3518 description => "Create a full copy of all disks. This is always done when " .
3519 "you clone a normal VM. For VM templates, we try to create a linked clone by default.",
3520 },
3521 target => get_standard_option('pve-node', {
3522 description => "Target node. Only allowed if the original VM is on shared storage.",
3523 optional => 1,
3524 }),
3525 bwlimit => {
3526 description => "Override I/O bandwidth limit (in KiB/s).",
3527 optional => 1,
3528 type => 'integer',
3529 minimum => '0',
3530 default => 'clone limit from datacenter or storage config',
3531 },
3532 },
3533 },
3534 returns => {
3535 type => 'string',
3536 },
3537 code => sub {
3538 my ($param) = @_;
3539
3540 my $rpcenv = PVE::RPCEnvironment::get();
3541 my $authuser = $rpcenv->get_user();
3542
3543 my $node = extract_param($param, 'node');
3544 my $vmid = extract_param($param, 'vmid');
3545 my $newid = extract_param($param, 'newid');
3546 my $pool = extract_param($param, 'pool');
3547
3548 my $snapname = extract_param($param, 'snapname');
3549 my $storage = extract_param($param, 'storage');
3550 my $format = extract_param($param, 'format');
3551 my $target = extract_param($param, 'target');
3552
3553 my $localnode = PVE::INotify::nodename();
3554
3555 if ($target && ($target eq $localnode || $target eq 'localhost')) {
3556 undef $target;
3557 }
3558
3559 my $running = PVE::QemuServer::check_running($vmid) || 0;
3560
3561 my $load_and_check = sub {
3562 $rpcenv->check_pool_exist($pool) if defined($pool);
3563 PVE::Cluster::check_node_exists($target) if $target;
3564
3565 my $storecfg = PVE::Storage::config();
3566
3567 if ($storage) {
3568 # check if storage is enabled on local node
3569 PVE::Storage::storage_check_enabled($storecfg, $storage);
3570 if ($target) {
3571 # check if storage is available on target node
3572 PVE::Storage::storage_check_enabled($storecfg, $storage, $target);
3573 # clone only works if target storage is shared
3574 my $scfg = PVE::Storage::storage_config($storecfg, $storage);
3575 die "can't clone to non-shared storage '$storage'\n"
3576 if !$scfg->{shared};
3577 }
3578 }
3579
3580 PVE::Cluster::check_cfs_quorum();
3581
3582 my $conf = PVE::QemuConfig->load_config($vmid);
3583 PVE::QemuConfig->check_lock($conf);
3584
3585 my $verify_running = PVE::QemuServer::check_running($vmid) || 0;
3586 die "unexpected state change\n" if $verify_running != $running;
3587
3588 die "snapshot '$snapname' does not exist\n"
3589 if $snapname && !defined( $conf->{snapshots}->{$snapname});
3590
3591 my $full = $param->{full} // !PVE::QemuConfig->is_template($conf);
3592
3593 die "parameter 'storage' not allowed for linked clones\n"
3594 if defined($storage) && !$full;
3595
3596 die "parameter 'format' not allowed for linked clones\n"
3597 if defined($format) && !$full;
3598
3599 my $oldconf = $snapname ? $conf->{snapshots}->{$snapname} : $conf;
3600
3601 my $sharedvm = &$check_storage_access_clone($rpcenv, $authuser, $storecfg, $oldconf, $storage);
3602 PVE::QemuServer::check_mapping_access($rpcenv, $authuser, $oldconf);
3603
3604 PVE::QemuServer::check_bridge_access($rpcenv, $authuser, $oldconf);
3605
3606 die "can't clone VM to node '$target' (VM uses local storage)\n"
3607 if $target && !$sharedvm;
3608
3609 my $conffile = PVE::QemuConfig->config_file($newid);
3610 die "unable to create VM $newid: config file already exists\n"
3611 if -f $conffile;
3612
3613 my $newconf = { lock => 'clone' };
3614 my $drives = {};
3615 my $fullclone = {};
3616 my $vollist = [];
3617
3618 foreach my $opt (keys %$oldconf) {
3619 my $value = $oldconf->{$opt};
3620
3621 # do not copy snapshot related info
3622 next if $opt eq 'snapshots' || $opt eq 'parent' || $opt eq 'snaptime' ||
3623 $opt eq 'vmstate' || $opt eq 'snapstate';
3624
3625 # no need to copy unused images, because VMID(owner) changes anyways
3626 next if $opt =~ m/^unused\d+$/;
3627
3628 die "cannot clone TPM state while VM is running\n"
3629 if $full && $running && !$snapname && $opt eq 'tpmstate0';
3630
3631 # always change MAC! address
3632 if ($opt =~ m/^net(\d+)$/) {
3633 my $net = PVE::QemuServer::parse_net($value);
3634 my $dc = PVE::Cluster::cfs_read_file('datacenter.cfg');
3635 $net->{macaddr} = PVE::Tools::random_ether_addr($dc->{mac_prefix});
3636 $newconf->{$opt} = PVE::QemuServer::print_net($net);
3637 } elsif (PVE::QemuServer::is_valid_drivename($opt)) {
3638 my $drive = PVE::QemuServer::parse_drive($opt, $value);
3639 die "unable to parse drive options for '$opt'\n" if !$drive;
3640 if (PVE::QemuServer::drive_is_cdrom($drive, 1)) {
3641 $newconf->{$opt} = $value; # simply copy configuration
3642 } else {
3643 if ($full || PVE::QemuServer::drive_is_cloudinit($drive)) {
3644 die "Full clone feature is not supported for drive '$opt'\n"
3645 if !PVE::Storage::volume_has_feature($storecfg, 'copy', $drive->{file}, $snapname, $running);
3646 $fullclone->{$opt} = 1;
3647 } else {
3648 # not full means clone instead of copy
3649 die "Linked clone feature is not supported for drive '$opt'\n"
3650 if !PVE::Storage::volume_has_feature($storecfg, 'clone', $drive->{file}, $snapname, $running);
3651 }
3652 $drives->{$opt} = $drive;
3653 next if PVE::QemuServer::drive_is_cloudinit($drive);
3654 push @$vollist, $drive->{file};
3655 }
3656 } else {
3657 # copy everything else
3658 $newconf->{$opt} = $value;
3659 }
3660 }
3661
3662 return ($conffile, $newconf, $oldconf, $vollist, $drives, $fullclone);
3663 };
3664
3665 my $clonefn = sub {
3666 my ($conffile, $newconf, $oldconf, $vollist, $drives, $fullclone) = $load_and_check->();
3667 my $storecfg = PVE::Storage::config();
3668
3669 # auto generate a new uuid
3670 my $smbios1 = PVE::QemuServer::parse_smbios1($newconf->{smbios1} || '');
3671 $smbios1->{uuid} = PVE::QemuServer::generate_uuid();
3672 $newconf->{smbios1} = PVE::QemuServer::print_smbios1($smbios1);
3673 # auto generate a new vmgenid only if the option was set for template
3674 if ($newconf->{vmgenid}) {
3675 $newconf->{vmgenid} = PVE::QemuServer::generate_uuid();
3676 }
3677
3678 delete $newconf->{template};
3679
3680 if ($param->{name}) {
3681 $newconf->{name} = $param->{name};
3682 } else {
3683 $newconf->{name} = "Copy-of-VM-" . ($oldconf->{name} // $vmid);
3684 }
3685
3686 if ($param->{description}) {
3687 $newconf->{description} = $param->{description};
3688 }
3689
3690 # create empty/temp config - this fails if VM already exists on other node
3691 # FIXME use PVE::QemuConfig->create_and_lock_config and adapt code
3692 PVE::Tools::file_set_contents($conffile, "# qmclone temporary file\nlock: clone\n");
3693
3694 PVE::Firewall::clone_vmfw_conf($vmid, $newid);
3695
3696 my $newvollist = [];
3697 my $jobs = {};
3698
3699 eval {
3700 local $SIG{INT} =
3701 local $SIG{TERM} =
3702 local $SIG{QUIT} =
3703 local $SIG{HUP} = sub { die "interrupted by signal\n"; };
3704
3705 PVE::Storage::activate_volumes($storecfg, $vollist, $snapname);
3706
3707 my $bwlimit = extract_param($param, 'bwlimit');
3708
3709 my $total_jobs = scalar(keys %{$drives});
3710 my $i = 1;
3711
3712 foreach my $opt (sort keys %$drives) {
3713 my $drive = $drives->{$opt};
3714 my $skipcomplete = ($total_jobs != $i); # finish after last drive
3715 my $completion = $skipcomplete ? 'skip' : 'complete';
3716
3717 my $src_sid = PVE::Storage::parse_volume_id($drive->{file});
3718 my $storage_list = [ $src_sid ];
3719 push @$storage_list, $storage if defined($storage);
3720 my $clonelimit = PVE::Storage::get_bandwidth_limit('clone', $storage_list, $bwlimit);
3721
3722 my $source_info = {
3723 vmid => $vmid,
3724 running => $running,
3725 drivename => $opt,
3726 drive => $drive,
3727 snapname => $snapname,
3728 };
3729
3730 my $dest_info = {
3731 vmid => $newid,
3732 drivename => $opt,
3733 storage => $storage,
3734 format => $format,
3735 };
3736
3737 $dest_info->{efisize} = PVE::QemuServer::get_efivars_size($oldconf)
3738 if $opt eq 'efidisk0';
3739
3740 my $newdrive = PVE::QemuServer::clone_disk(
3741 $storecfg,
3742 $source_info,
3743 $dest_info,
3744 $fullclone->{$opt},
3745 $newvollist,
3746 $jobs,
3747 $completion,
3748 $oldconf->{agent},
3749 $clonelimit,
3750 );
3751
3752 $newconf->{$opt} = PVE::QemuServer::print_drive($newdrive);
3753
3754 PVE::QemuConfig->write_config($newid, $newconf);
3755 $i++;
3756 }
3757
3758 delete $newconf->{lock};
3759
3760 # do not write pending changes
3761 if (my @changes = keys %{$newconf->{pending}}) {
3762 my $pending = join(',', @changes);
3763 warn "found pending changes for '$pending', discarding for clone\n";
3764 delete $newconf->{pending};
3765 }
3766
3767 PVE::QemuConfig->write_config($newid, $newconf);
3768
3769 if ($target) {
3770 # always deactivate volumes - avoid lvm LVs to be active on several nodes
3771 PVE::Storage::deactivate_volumes($storecfg, $vollist, $snapname) if !$running;
3772 PVE::Storage::deactivate_volumes($storecfg, $newvollist);
3773
3774 my $newconffile = PVE::QemuConfig->config_file($newid, $target);
3775 die "Failed to move config to node '$target' - rename failed: $!\n"
3776 if !rename($conffile, $newconffile);
3777 }
3778
3779 PVE::AccessControl::add_vm_to_pool($newid, $pool) if $pool;
3780 };
3781 if (my $err = $@) {
3782 eval { PVE::QemuServer::qemu_blockjobs_cancel($vmid, $jobs) };
3783 sleep 1; # some storage like rbd need to wait before release volume - really?
3784
3785 foreach my $volid (@$newvollist) {
3786 eval { PVE::Storage::vdisk_free($storecfg, $volid); };
3787 warn $@ if $@;
3788 }
3789
3790 PVE::Firewall::remove_vmfw_conf($newid);
3791
3792 unlink $conffile; # avoid races -> last thing before die
3793
3794 die "clone failed: $err";
3795 }
3796
3797 return;
3798 };
3799
3800 # Aquire exclusive lock lock for $newid
3801 my $lock_target_vm = sub {
3802 return PVE::QemuConfig->lock_config_full($newid, 1, $clonefn);
3803 };
3804
3805 my $lock_source_vm = sub {
3806 # exclusive lock if VM is running - else shared lock is enough;
3807 if ($running) {
3808 return PVE::QemuConfig->lock_config_full($vmid, 1, $lock_target_vm);
3809 } else {
3810 return PVE::QemuConfig->lock_config_shared($vmid, 1, $lock_target_vm);
3811 }
3812 };
3813
3814 $load_and_check->(); # early checks before forking/locking
3815
3816 return $rpcenv->fork_worker('qmclone', $vmid, $authuser, $lock_source_vm);
3817 }});
3818
3819 __PACKAGE__->register_method({
3820 name => 'move_vm_disk',
3821 path => '{vmid}/move_disk',
3822 method => 'POST',
3823 protected => 1,
3824 proxyto => 'node',
3825 description => "Move volume to different storage or to a different VM.",
3826 permissions => {
3827 description => "You need 'VM.Config.Disk' permissions on /vms/{vmid}, " .
3828 "and 'Datastore.AllocateSpace' permissions on the storage. To move ".
3829 "a disk to another VM, you need the permissions on the target VM as well.",
3830 check => ['perm', '/vms/{vmid}', [ 'VM.Config.Disk' ]],
3831 },
3832 parameters => {
3833 additionalProperties => 0,
3834 properties => {
3835 node => get_standard_option('pve-node'),
3836 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
3837 'target-vmid' => get_standard_option('pve-vmid', {
3838 completion => \&PVE::QemuServer::complete_vmid,
3839 optional => 1,
3840 }),
3841 disk => {
3842 type => 'string',
3843 description => "The disk you want to move.",
3844 enum => [PVE::QemuServer::Drive::valid_drive_names_with_unused()],
3845 },
3846 storage => get_standard_option('pve-storage-id', {
3847 description => "Target storage.",
3848 completion => \&PVE::QemuServer::complete_storage,
3849 optional => 1,
3850 }),
3851 'format' => {
3852 type => 'string',
3853 description => "Target Format.",
3854 enum => [ 'raw', 'qcow2', 'vmdk' ],
3855 optional => 1,
3856 },
3857 delete => {
3858 type => 'boolean',
3859 description => "Delete the original disk after successful copy. By default the"
3860 ." original disk is kept as unused disk.",
3861 optional => 1,
3862 default => 0,
3863 },
3864 digest => {
3865 type => 'string',
3866 description => 'Prevent changes if current configuration file has different SHA1"
3867 ." digest. This can be used to prevent concurrent modifications.',
3868 maxLength => 40,
3869 optional => 1,
3870 },
3871 bwlimit => {
3872 description => "Override I/O bandwidth limit (in KiB/s).",
3873 optional => 1,
3874 type => 'integer',
3875 minimum => '0',
3876 default => 'move limit from datacenter or storage config',
3877 },
3878 'target-disk' => {
3879 type => 'string',
3880 description => "The config key the disk will be moved to on the target VM"
3881 ." (for example, ide0 or scsi1). Default is the source disk key.",
3882 enum => [PVE::QemuServer::Drive::valid_drive_names_with_unused()],
3883 optional => 1,
3884 },
3885 'target-digest' => {
3886 type => 'string',
3887 description => 'Prevent changes if the current config file of the target VM has a"
3888 ." different SHA1 digest. This can be used to detect concurrent modifications.',
3889 maxLength => 40,
3890 optional => 1,
3891 },
3892 },
3893 },
3894 returns => {
3895 type => 'string',
3896 description => "the task ID.",
3897 },
3898 code => sub {
3899 my ($param) = @_;
3900
3901 my $rpcenv = PVE::RPCEnvironment::get();
3902 my $authuser = $rpcenv->get_user();
3903
3904 my $node = extract_param($param, 'node');
3905 my $vmid = extract_param($param, 'vmid');
3906 my $target_vmid = extract_param($param, 'target-vmid');
3907 my $digest = extract_param($param, 'digest');
3908 my $target_digest = extract_param($param, 'target-digest');
3909 my $disk = extract_param($param, 'disk');
3910 my $target_disk = extract_param($param, 'target-disk') // $disk;
3911 my $storeid = extract_param($param, 'storage');
3912 my $format = extract_param($param, 'format');
3913
3914 my $storecfg = PVE::Storage::config();
3915
3916 my $load_and_check_move = sub {
3917 my $conf = PVE::QemuConfig->load_config($vmid);
3918 PVE::QemuConfig->check_lock($conf);
3919
3920 PVE::Tools::assert_if_modified($digest, $conf->{digest});
3921
3922 die "disk '$disk' does not exist\n" if !$conf->{$disk};
3923
3924 my $drive = PVE::QemuServer::parse_drive($disk, $conf->{$disk});
3925
3926 die "disk '$disk' has no associated volume\n" if !$drive->{file};
3927 die "you can't move a cdrom\n" if PVE::QemuServer::drive_is_cdrom($drive, 1);
3928
3929 my $old_volid = $drive->{file};
3930 my $oldfmt;
3931 my ($oldstoreid, $oldvolname) = PVE::Storage::parse_volume_id($old_volid);
3932 if ($oldvolname =~ m/\.(raw|qcow2|vmdk)$/){
3933 $oldfmt = $1;
3934 }
3935
3936 die "you can't move to the same storage with same format\n"
3937 if $oldstoreid eq $storeid && (!$format || !$oldfmt || $oldfmt eq $format);
3938
3939 # this only checks snapshots because $disk is passed!
3940 my $snapshotted = PVE::QemuServer::Drive::is_volume_in_use(
3941 $storecfg,
3942 $conf,
3943 $disk,
3944 $old_volid
3945 );
3946 die "you can't move a disk with snapshots and delete the source\n"
3947 if $snapshotted && $param->{delete};
3948
3949 return ($conf, $drive, $oldstoreid, $snapshotted);
3950 };
3951
3952 my $move_updatefn = sub {
3953 my ($conf, $drive, $oldstoreid, $snapshotted) = $load_and_check_move->();
3954 my $old_volid = $drive->{file};
3955
3956 PVE::Cluster::log_msg(
3957 'info',
3958 $authuser,
3959 "move disk VM $vmid: move --disk $disk --storage $storeid"
3960 );
3961
3962 my $running = PVE::QemuServer::check_running($vmid);
3963
3964 PVE::Storage::activate_volumes($storecfg, [ $drive->{file} ]);
3965
3966 my $newvollist = [];
3967
3968 eval {
3969 local $SIG{INT} =
3970 local $SIG{TERM} =
3971 local $SIG{QUIT} =
3972 local $SIG{HUP} = sub { die "interrupted by signal\n"; };
3973
3974 warn "moving disk with snapshots, snapshots will not be moved!\n"
3975 if $snapshotted;
3976
3977 my $bwlimit = extract_param($param, 'bwlimit');
3978 my $movelimit = PVE::Storage::get_bandwidth_limit(
3979 'move',
3980 [$oldstoreid, $storeid],
3981 $bwlimit
3982 );
3983
3984 my $source_info = {
3985 vmid => $vmid,
3986 running => $running,
3987 drivename => $disk,
3988 drive => $drive,
3989 snapname => undef,
3990 };
3991
3992 my $dest_info = {
3993 vmid => $vmid,
3994 drivename => $disk,
3995 storage => $storeid,
3996 format => $format,
3997 };
3998
3999 $dest_info->{efisize} = PVE::QemuServer::get_efivars_size($conf)
4000 if $disk eq 'efidisk0';
4001
4002 my $newdrive = PVE::QemuServer::clone_disk(
4003 $storecfg,
4004 $source_info,
4005 $dest_info,
4006 1,
4007 $newvollist,
4008 undef,
4009 undef,
4010 undef,
4011 $movelimit,
4012 );
4013 $conf->{$disk} = PVE::QemuServer::print_drive($newdrive);
4014
4015 PVE::QemuConfig->add_unused_volume($conf, $old_volid) if !$param->{delete};
4016
4017 # convert moved disk to base if part of template
4018 PVE::QemuServer::template_create($vmid, $conf, $disk)
4019 if PVE::QemuConfig->is_template($conf);
4020
4021 PVE::QemuConfig->write_config($vmid, $conf);
4022
4023 my $do_trim = PVE::QemuServer::get_qga_key($conf, 'fstrim_cloned_disks');
4024 if ($running && $do_trim && PVE::QemuServer::qga_check_running($vmid)) {
4025 eval { mon_cmd($vmid, "guest-fstrim") };
4026 }
4027
4028 eval {
4029 # try to deactivate volumes - avoid lvm LVs to be active on several nodes
4030 PVE::Storage::deactivate_volumes($storecfg, [ $newdrive->{file} ])
4031 if !$running;
4032 };
4033 warn $@ if $@;
4034 };
4035 if (my $err = $@) {
4036 foreach my $volid (@$newvollist) {
4037 eval { PVE::Storage::vdisk_free($storecfg, $volid) };
4038 warn $@ if $@;
4039 }
4040 die "storage migration failed: $err";
4041 }
4042
4043 if ($param->{delete}) {
4044 eval {
4045 PVE::Storage::deactivate_volumes($storecfg, [$old_volid]);
4046 PVE::Storage::vdisk_free($storecfg, $old_volid);
4047 };
4048 warn $@ if $@;
4049 }
4050 };
4051
4052 my $load_and_check_reassign_configs = sub {
4053 my $vmlist = PVE::Cluster::get_vmlist()->{ids};
4054
4055 die "could not find VM ${vmid}\n" if !exists($vmlist->{$vmid});
4056 die "could not find target VM ${target_vmid}\n" if !exists($vmlist->{$target_vmid});
4057
4058 my $source_node = $vmlist->{$vmid}->{node};
4059 my $target_node = $vmlist->{$target_vmid}->{node};
4060
4061 die "Both VMs need to be on the same node ($source_node != $target_node)\n"
4062 if $source_node ne $target_node;
4063
4064 my $source_conf = PVE::QemuConfig->load_config($vmid);
4065 PVE::QemuConfig->check_lock($source_conf);
4066 my $target_conf = PVE::QemuConfig->load_config($target_vmid);
4067 PVE::QemuConfig->check_lock($target_conf);
4068
4069 die "Can't move disks from or to template VMs\n"
4070 if ($source_conf->{template} || $target_conf->{template});
4071
4072 if ($digest) {
4073 eval { PVE::Tools::assert_if_modified($digest, $source_conf->{digest}) };
4074 die "VM ${vmid}: $@" if $@;
4075 }
4076
4077 if ($target_digest) {
4078 eval { PVE::Tools::assert_if_modified($target_digest, $target_conf->{digest}) };
4079 die "VM ${target_vmid}: $@" if $@;
4080 }
4081
4082 die "Disk '${disk}' for VM '$vmid' does not exist\n" if !defined($source_conf->{$disk});
4083
4084 die "Target disk key '${target_disk}' is already in use for VM '$target_vmid'\n"
4085 if $target_conf->{$target_disk};
4086
4087 my $drive = PVE::QemuServer::parse_drive(
4088 $disk,
4089 $source_conf->{$disk},
4090 );
4091 die "failed to parse source disk - $@\n" if !$drive;
4092
4093 my $source_volid = $drive->{file};
4094
4095 die "disk '${disk}' has no associated volume\n" if !$source_volid;
4096 die "CD drive contents can't be moved to another VM\n"
4097 if PVE::QemuServer::drive_is_cdrom($drive, 1);
4098
4099 my $storeid = PVE::Storage::parse_volume_id($source_volid, 1);
4100 die "Volume '$source_volid' not managed by PVE\n" if !defined($storeid);
4101
4102 die "Can't move disk used by a snapshot to another VM\n"
4103 if PVE::QemuServer::Drive::is_volume_in_use($storecfg, $source_conf, $disk, $source_volid);
4104 die "Storage does not support moving of this disk to another VM\n"
4105 if (!PVE::Storage::volume_has_feature($storecfg, 'rename', $source_volid));
4106 die "Cannot move disk to another VM while the source VM is running - detach first\n"
4107 if PVE::QemuServer::check_running($vmid) && $disk !~ m/^unused\d+$/;
4108
4109 # now re-parse using target disk slot format
4110 if ($target_disk =~ /^unused\d+$/) {
4111 $drive = PVE::QemuServer::parse_drive(
4112 $target_disk,
4113 $source_volid,
4114 );
4115 } else {
4116 $drive = PVE::QemuServer::parse_drive(
4117 $target_disk,
4118 $source_conf->{$disk},
4119 );
4120 }
4121 die "failed to parse source disk for target disk format - $@\n" if !$drive;
4122
4123 my $repl_conf = PVE::ReplicationConfig->new();
4124 if ($repl_conf->check_for_existing_jobs($target_vmid, 1)) {
4125 my $format = (PVE::Storage::parse_volname($storecfg, $source_volid))[6];
4126 die "Cannot move disk to a replicated VM. Storage does not support replication!\n"
4127 if !PVE::Storage::storage_can_replicate($storecfg, $storeid, $format);
4128 }
4129
4130 return ($source_conf, $target_conf, $drive);
4131 };
4132
4133 my $logfunc = sub {
4134 my ($msg) = @_;
4135 print STDERR "$msg\n";
4136 };
4137
4138 my $disk_reassignfn = sub {
4139 return PVE::QemuConfig->lock_config($vmid, sub {
4140 return PVE::QemuConfig->lock_config($target_vmid, sub {
4141 my ($source_conf, $target_conf, $drive) = &$load_and_check_reassign_configs();
4142
4143 my $source_volid = $drive->{file};
4144
4145 print "moving disk '$disk' from VM '$vmid' to '$target_vmid'\n";
4146 my ($storeid, $source_volname) = PVE::Storage::parse_volume_id($source_volid);
4147
4148 my $fmt = (PVE::Storage::parse_volname($storecfg, $source_volid))[6];
4149
4150 my $new_volid = PVE::Storage::rename_volume(
4151 $storecfg,
4152 $source_volid,
4153 $target_vmid,
4154 );
4155
4156 $drive->{file} = $new_volid;
4157
4158 my $boot_order = PVE::QemuServer::device_bootorder($source_conf);
4159 if (defined(delete $boot_order->{$disk})) {
4160 print "removing disk '$disk' from boot order config\n";
4161 my $boot_devs = [ sort { $boot_order->{$a} <=> $boot_order->{$b} } keys %$boot_order ];
4162 $source_conf->{boot} = PVE::QemuServer::print_bootorder($boot_devs);
4163 }
4164
4165 delete $source_conf->{$disk};
4166 print "removing disk '${disk}' from VM '${vmid}' config\n";
4167 PVE::QemuConfig->write_config($vmid, $source_conf);
4168
4169 my $drive_string = PVE::QemuServer::print_drive($drive);
4170
4171 if ($target_disk =~ /^unused\d+$/) {
4172 $target_conf->{$target_disk} = $drive_string;
4173 PVE::QemuConfig->write_config($target_vmid, $target_conf);
4174 } else {
4175 &$update_vm_api(
4176 {
4177 node => $node,
4178 vmid => $target_vmid,
4179 digest => $target_digest,
4180 $target_disk => $drive_string,
4181 },
4182 1,
4183 );
4184 }
4185
4186 # remove possible replication snapshots
4187 if (PVE::Storage::volume_has_feature(
4188 $storecfg,
4189 'replicate',
4190 $source_volid),
4191 ) {
4192 eval {
4193 PVE::Replication::prepare(
4194 $storecfg,
4195 [$new_volid],
4196 undef,
4197 1,
4198 undef,
4199 $logfunc,
4200 )
4201 };
4202 if (my $err = $@) {
4203 print "Failed to remove replication snapshots on moved disk " .
4204 "'$target_disk'. Manual cleanup could be necessary.\n";
4205 }
4206 }
4207 });
4208 });
4209 };
4210
4211 if ($target_vmid && $storeid) {
4212 my $msg = "either set 'storage' or 'target-vmid', but not both";
4213 raise_param_exc({ 'target-vmid' => $msg, 'storage' => $msg });
4214 } elsif ($target_vmid) {
4215 $rpcenv->check_vm_perm($authuser, $target_vmid, undef, ['VM.Config.Disk'])
4216 if $authuser ne 'root@pam';
4217
4218 raise_param_exc({ 'target-vmid' => "must be different than source VMID to reassign disk" })
4219 if $vmid eq $target_vmid;
4220
4221 my (undef, undef, $drive) = &$load_and_check_reassign_configs();
4222 my $storage = PVE::Storage::parse_volume_id($drive->{file});
4223 $rpcenv->check($authuser, "/storage/$storage", ['Datastore.AllocateSpace']);
4224
4225 return $rpcenv->fork_worker(
4226 'qmmove',
4227 "${vmid}-${disk}>${target_vmid}-${target_disk}",
4228 $authuser,
4229 $disk_reassignfn
4230 );
4231 } elsif ($storeid) {
4232 $rpcenv->check($authuser, "/storage/$storeid", ['Datastore.AllocateSpace']);
4233
4234 die "cannot move disk '$disk', only configured disks can be moved to another storage\n"
4235 if $disk =~ m/^unused\d+$/;
4236
4237 $load_and_check_move->(); # early checks before forking/locking
4238
4239 my $realcmd = sub {
4240 PVE::QemuConfig->lock_config($vmid, $move_updatefn);
4241 };
4242
4243 return $rpcenv->fork_worker('qmmove', $vmid, $authuser, $realcmd);
4244 } else {
4245 my $msg = "both 'storage' and 'target-vmid' missing, either needs to be set";
4246 raise_param_exc({ 'target-vmid' => $msg, 'storage' => $msg });
4247 }
4248 }});
4249
4250 my $check_vm_disks_local = sub {
4251 my ($storecfg, $vmconf, $vmid) = @_;
4252
4253 my $local_disks = {};
4254
4255 # add some more information to the disks e.g. cdrom
4256 PVE::QemuServer::foreach_volid($vmconf, sub {
4257 my ($volid, $attr) = @_;
4258
4259 my ($storeid, $volname) = PVE::Storage::parse_volume_id($volid, 1);
4260 if ($storeid) {
4261 my $scfg = PVE::Storage::storage_config($storecfg, $storeid);
4262 return if $scfg->{shared};
4263 }
4264 # The shared attr here is just a special case where the vdisk
4265 # is marked as shared manually
4266 return if $attr->{shared};
4267 return if $attr->{cdrom} and $volid eq "none";
4268
4269 if (exists $local_disks->{$volid}) {
4270 @{$local_disks->{$volid}}{keys %$attr} = values %$attr
4271 } else {
4272 $local_disks->{$volid} = $attr;
4273 # ensure volid is present in case it's needed
4274 $local_disks->{$volid}->{volid} = $volid;
4275 }
4276 });
4277
4278 return $local_disks;
4279 };
4280
4281 __PACKAGE__->register_method({
4282 name => 'migrate_vm_precondition',
4283 path => '{vmid}/migrate',
4284 method => 'GET',
4285 protected => 1,
4286 proxyto => 'node',
4287 description => "Get preconditions for migration.",
4288 permissions => {
4289 check => ['perm', '/vms/{vmid}', [ 'VM.Migrate' ]],
4290 },
4291 parameters => {
4292 additionalProperties => 0,
4293 properties => {
4294 node => get_standard_option('pve-node'),
4295 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
4296 target => get_standard_option('pve-node', {
4297 description => "Target node.",
4298 completion => \&PVE::Cluster::complete_migration_target,
4299 optional => 1,
4300 }),
4301 },
4302 },
4303 returns => {
4304 type => "object",
4305 properties => {
4306 running => { type => 'boolean' },
4307 allowed_nodes => {
4308 type => 'array',
4309 optional => 1,
4310 description => "List nodes allowed for offline migration, only passed if VM is offline"
4311 },
4312 not_allowed_nodes => {
4313 type => 'object',
4314 optional => 1,
4315 description => "List not allowed nodes with additional informations, only passed if VM is offline"
4316 },
4317 local_disks => {
4318 type => 'array',
4319 description => "List local disks including CD-Rom, unsused and not referenced disks"
4320 },
4321 local_resources => {
4322 type => 'array',
4323 description => "List local resources e.g. pci, usb"
4324 },
4325 'mapped-resources' => {
4326 type => 'array',
4327 description => "List of mapped resources e.g. pci, usb"
4328 },
4329 },
4330 },
4331 code => sub {
4332 my ($param) = @_;
4333
4334 my $rpcenv = PVE::RPCEnvironment::get();
4335
4336 my $authuser = $rpcenv->get_user();
4337
4338 PVE::Cluster::check_cfs_quorum();
4339
4340 my $res = {};
4341
4342 my $vmid = extract_param($param, 'vmid');
4343 my $target = extract_param($param, 'target');
4344 my $localnode = PVE::INotify::nodename();
4345
4346
4347 # test if VM exists
4348 my $vmconf = PVE::QemuConfig->load_config($vmid);
4349 my $storecfg = PVE::Storage::config();
4350
4351
4352 # try to detect errors early
4353 PVE::QemuConfig->check_lock($vmconf);
4354
4355 $res->{running} = PVE::QemuServer::check_running($vmid) ? 1:0;
4356
4357 my ($local_resources, $mapped_resources, $missing_mappings_by_node) =
4358 PVE::QemuServer::check_local_resources($vmconf, 1);
4359 delete $missing_mappings_by_node->{$localnode};
4360
4361 # if vm is not running, return target nodes where local storage/mapped devices are available
4362 # for offline migration
4363 if (!$res->{running}) {
4364 $res->{allowed_nodes} = [];
4365 my $checked_nodes = PVE::QemuServer::check_local_storage_availability($vmconf, $storecfg);
4366 delete $checked_nodes->{$localnode};
4367
4368 foreach my $node (keys %$checked_nodes) {
4369 my $missing_mappings = $missing_mappings_by_node->{$node};
4370 if (scalar($missing_mappings->@*)) {
4371 $checked_nodes->{$node}->{'unavailable-resources'} = $missing_mappings;
4372 next;
4373 }
4374
4375 if (!defined($checked_nodes->{$node}->{unavailable_storages})) {
4376 push @{$res->{allowed_nodes}}, $node;
4377 }
4378
4379 }
4380 $res->{not_allowed_nodes} = $checked_nodes;
4381 }
4382
4383 my $local_disks = &$check_vm_disks_local($storecfg, $vmconf, $vmid);
4384 $res->{local_disks} = [ values %$local_disks ];;
4385
4386 $res->{local_resources} = $local_resources;
4387 $res->{'mapped-resources'} = $mapped_resources;
4388
4389 return $res;
4390
4391
4392 }});
4393
4394 __PACKAGE__->register_method({
4395 name => 'migrate_vm',
4396 path => '{vmid}/migrate',
4397 method => 'POST',
4398 protected => 1,
4399 proxyto => 'node',
4400 description => "Migrate virtual machine. Creates a new migration task.",
4401 permissions => {
4402 check => ['perm', '/vms/{vmid}', [ 'VM.Migrate' ]],
4403 },
4404 parameters => {
4405 additionalProperties => 0,
4406 properties => {
4407 node => get_standard_option('pve-node'),
4408 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
4409 target => get_standard_option('pve-node', {
4410 description => "Target node.",
4411 completion => \&PVE::Cluster::complete_migration_target,
4412 }),
4413 online => {
4414 type => 'boolean',
4415 description => "Use online/live migration if VM is running. Ignored if VM is stopped.",
4416 optional => 1,
4417 },
4418 force => {
4419 type => 'boolean',
4420 description => "Allow to migrate VMs which use local devices. Only root may use this option.",
4421 optional => 1,
4422 },
4423 migration_type => {
4424 type => 'string',
4425 enum => ['secure', 'insecure'],
4426 description => "Migration traffic is encrypted using an SSH tunnel by default. On secure, completely private networks this can be disabled to increase performance.",
4427 optional => 1,
4428 },
4429 migration_network => {
4430 type => 'string', format => 'CIDR',
4431 description => "CIDR of the (sub) network that is used for migration.",
4432 optional => 1,
4433 },
4434 "with-local-disks" => {
4435 type => 'boolean',
4436 description => "Enable live storage migration for local disk",
4437 optional => 1,
4438 },
4439 targetstorage => get_standard_option('pve-targetstorage', {
4440 completion => \&PVE::QemuServer::complete_migration_storage,
4441 }),
4442 bwlimit => {
4443 description => "Override I/O bandwidth limit (in KiB/s).",
4444 optional => 1,
4445 type => 'integer',
4446 minimum => '0',
4447 default => 'migrate limit from datacenter or storage config',
4448 },
4449 },
4450 },
4451 returns => {
4452 type => 'string',
4453 description => "the task ID.",
4454 },
4455 code => sub {
4456 my ($param) = @_;
4457
4458 my $rpcenv = PVE::RPCEnvironment::get();
4459 my $authuser = $rpcenv->get_user();
4460
4461 my $target = extract_param($param, 'target');
4462
4463 my $localnode = PVE::INotify::nodename();
4464 raise_param_exc({ target => "target is local node."}) if $target eq $localnode;
4465
4466 PVE::Cluster::check_cfs_quorum();
4467
4468 PVE::Cluster::check_node_exists($target);
4469
4470 my $targetip = PVE::Cluster::remote_node_ip($target);
4471
4472 my $vmid = extract_param($param, 'vmid');
4473
4474 raise_param_exc({ force => "Only root may use this option." })
4475 if $param->{force} && $authuser ne 'root@pam';
4476
4477 raise_param_exc({ migration_type => "Only root may use this option." })
4478 if $param->{migration_type} && $authuser ne 'root@pam';
4479
4480 # allow root only until better network permissions are available
4481 raise_param_exc({ migration_network => "Only root may use this option." })
4482 if $param->{migration_network} && $authuser ne 'root@pam';
4483
4484 # test if VM exists
4485 my $conf = PVE::QemuConfig->load_config($vmid);
4486
4487 # try to detect errors early
4488
4489 PVE::QemuConfig->check_lock($conf);
4490
4491 if (PVE::QemuServer::check_running($vmid)) {
4492 die "can't migrate running VM without --online\n" if !$param->{online};
4493
4494 my $repl_conf = PVE::ReplicationConfig->new();
4495 my $is_replicated = $repl_conf->check_for_existing_jobs($vmid, 1);
4496 my $is_replicated_to_target = defined($repl_conf->find_local_replication_job($vmid, $target));
4497 if (!$param->{force} && $is_replicated && !$is_replicated_to_target) {
4498 die "Cannot live-migrate replicated VM to node '$target' - not a replication " .
4499 "target. Use 'force' to override.\n";
4500 }
4501 } else {
4502 warn "VM isn't running. Doing offline migration instead.\n" if $param->{online};
4503 $param->{online} = 0;
4504 }
4505
4506 my $storecfg = PVE::Storage::config();
4507 if (my $targetstorage = $param->{targetstorage}) {
4508 my $storagemap = eval { PVE::JSONSchema::parse_idmap($targetstorage, 'pve-storage-id') };
4509 raise_param_exc({ targetstorage => "failed to parse storage map: $@" })
4510 if $@;
4511
4512 $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Disk'])
4513 if !defined($storagemap->{identity});
4514
4515 foreach my $target_sid (values %{$storagemap->{entries}}) {
4516 $check_storage_access_migrate->($rpcenv, $authuser, $storecfg, $target_sid, $target);
4517 }
4518
4519 $check_storage_access_migrate->($rpcenv, $authuser, $storecfg, $storagemap->{default}, $target)
4520 if $storagemap->{default};
4521
4522 PVE::QemuServer::check_storage_availability($storecfg, $conf, $target)
4523 if $storagemap->{identity};
4524
4525 $param->{storagemap} = $storagemap;
4526 } else {
4527 PVE::QemuServer::check_storage_availability($storecfg, $conf, $target);
4528 }
4529
4530 if (PVE::HA::Config::vm_is_ha_managed($vmid) && $rpcenv->{type} ne 'ha') {
4531
4532 my $hacmd = sub {
4533 my $upid = shift;
4534
4535 print "Requesting HA migration for VM $vmid to node $target\n";
4536
4537 my $cmd = ['ha-manager', 'migrate', "vm:$vmid", $target];
4538 PVE::Tools::run_command($cmd);
4539 return;
4540 };
4541
4542 return $rpcenv->fork_worker('hamigrate', $vmid, $authuser, $hacmd);
4543
4544 } else {
4545
4546 my $realcmd = sub {
4547 PVE::QemuMigrate->migrate($target, $targetip, $vmid, $param);
4548 };
4549
4550 my $worker = sub {
4551 return PVE::GuestHelpers::guest_migration_lock($vmid, 10, $realcmd);
4552 };
4553
4554 return $rpcenv->fork_worker('qmigrate', $vmid, $authuser, $worker);
4555 }
4556
4557 }});
4558
4559 __PACKAGE__->register_method({
4560 name => 'remote_migrate_vm',
4561 path => '{vmid}/remote_migrate',
4562 method => 'POST',
4563 protected => 1,
4564 proxyto => 'node',
4565 description => "Migrate virtual machine to a remote cluster. Creates a new migration task. EXPERIMENTAL feature!",
4566 permissions => {
4567 check => ['perm', '/vms/{vmid}', [ 'VM.Migrate' ]],
4568 },
4569 parameters => {
4570 additionalProperties => 0,
4571 properties => {
4572 node => get_standard_option('pve-node'),
4573 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
4574 'target-vmid' => get_standard_option('pve-vmid', { optional => 1 }),
4575 'target-endpoint' => get_standard_option('proxmox-remote', {
4576 description => "Remote target endpoint",
4577 }),
4578 online => {
4579 type => 'boolean',
4580 description => "Use online/live migration if VM is running. Ignored if VM is stopped.",
4581 optional => 1,
4582 },
4583 delete => {
4584 type => 'boolean',
4585 description => "Delete the original VM and related data after successful migration. By default the original VM is kept on the source cluster in a stopped state.",
4586 optional => 1,
4587 default => 0,
4588 },
4589 'target-storage' => get_standard_option('pve-targetstorage', {
4590 completion => \&PVE::QemuServer::complete_migration_storage,
4591 optional => 0,
4592 }),
4593 'target-bridge' => {
4594 type => 'string',
4595 description => "Mapping from source to target bridges. Providing only a single bridge ID maps all source bridges to that bridge. Providing the special value '1' will map each source bridge to itself.",
4596 format => 'bridge-pair-list',
4597 },
4598 bwlimit => {
4599 description => "Override I/O bandwidth limit (in KiB/s).",
4600 optional => 1,
4601 type => 'integer',
4602 minimum => '0',
4603 default => 'migrate limit from datacenter or storage config',
4604 },
4605 },
4606 },
4607 returns => {
4608 type => 'string',
4609 description => "the task ID.",
4610 },
4611 code => sub {
4612 my ($param) = @_;
4613
4614 my $rpcenv = PVE::RPCEnvironment::get();
4615 my $authuser = $rpcenv->get_user();
4616
4617 my $source_vmid = extract_param($param, 'vmid');
4618 my $target_endpoint = extract_param($param, 'target-endpoint');
4619 my $target_vmid = extract_param($param, 'target-vmid') // $source_vmid;
4620
4621 my $delete = extract_param($param, 'delete') // 0;
4622
4623 PVE::Cluster::check_cfs_quorum();
4624
4625 # test if VM exists
4626 my $conf = PVE::QemuConfig->load_config($source_vmid);
4627
4628 PVE::QemuConfig->check_lock($conf);
4629
4630 raise_param_exc({ vmid => "cannot migrate HA-managed VM to remote cluster" })
4631 if PVE::HA::Config::vm_is_ha_managed($source_vmid);
4632
4633 my $remote = PVE::JSONSchema::parse_property_string('proxmox-remote', $target_endpoint);
4634
4635 # TODO: move this as helper somewhere appropriate?
4636 my $conn_args = {
4637 protocol => 'https',
4638 host => $remote->{host},
4639 port => $remote->{port} // 8006,
4640 apitoken => $remote->{apitoken},
4641 };
4642
4643 my $fp;
4644 if ($fp = $remote->{fingerprint}) {
4645 $conn_args->{cached_fingerprints} = { uc($fp) => 1 };
4646 }
4647
4648 print "Establishing API connection with remote at '$remote->{host}'\n";
4649
4650 my $api_client = PVE::APIClient::LWP->new(%$conn_args);
4651
4652 if (!defined($fp)) {
4653 my $cert_info = $api_client->get("/nodes/localhost/certificates/info");
4654 foreach my $cert (@$cert_info) {
4655 my $filename = $cert->{filename};
4656 next if $filename ne 'pveproxy-ssl.pem' && $filename ne 'pve-ssl.pem';
4657 $fp = $cert->{fingerprint} if !$fp || $filename eq 'pveproxy-ssl.pem';
4658 }
4659 $conn_args->{cached_fingerprints} = { uc($fp) => 1 }
4660 if defined($fp);
4661 }
4662
4663 my $repl_conf = PVE::ReplicationConfig->new();
4664 my $is_replicated = $repl_conf->check_for_existing_jobs($source_vmid, 1);
4665 die "cannot remote-migrate replicated VM\n" if $is_replicated;
4666
4667 if (PVE::QemuServer::check_running($source_vmid)) {
4668 die "can't migrate running VM without --online\n" if !$param->{online};
4669
4670 } else {
4671 warn "VM isn't running. Doing offline migration instead.\n" if $param->{online};
4672 $param->{online} = 0;
4673 }
4674
4675 my $storecfg = PVE::Storage::config();
4676 my $target_storage = extract_param($param, 'target-storage');
4677 my $storagemap = eval { PVE::JSONSchema::parse_idmap($target_storage, 'pve-storage-id') };
4678 raise_param_exc({ 'target-storage' => "failed to parse storage map: $@" })
4679 if $@;
4680
4681 my $target_bridge = extract_param($param, 'target-bridge');
4682 my $bridgemap = eval { PVE::JSONSchema::parse_idmap($target_bridge, 'pve-bridge-id') };
4683 raise_param_exc({ 'target-bridge' => "failed to parse bridge map: $@" })
4684 if $@;
4685
4686 die "remote migration requires explicit storage mapping!\n"
4687 if $storagemap->{identity};
4688
4689 $param->{storagemap} = $storagemap;
4690 $param->{bridgemap} = $bridgemap;
4691 $param->{remote} = {
4692 conn => $conn_args, # re-use fingerprint for tunnel
4693 client => $api_client,
4694 vmid => $target_vmid,
4695 };
4696 $param->{migration_type} = 'websocket';
4697 $param->{'with-local-disks'} = 1;
4698 $param->{delete} = $delete if $delete;
4699
4700 my $cluster_status = $api_client->get("/cluster/status");
4701 my $target_node;
4702 foreach my $entry (@$cluster_status) {
4703 next if $entry->{type} ne 'node';
4704 if ($entry->{local}) {
4705 $target_node = $entry->{name};
4706 last;
4707 }
4708 }
4709
4710 die "couldn't determine endpoint's node name\n"
4711 if !defined($target_node);
4712
4713 my $realcmd = sub {
4714 PVE::QemuMigrate->migrate($target_node, $remote->{host}, $source_vmid, $param);
4715 };
4716
4717 my $worker = sub {
4718 return PVE::GuestHelpers::guest_migration_lock($source_vmid, 10, $realcmd);
4719 };
4720
4721 return $rpcenv->fork_worker('qmigrate', $source_vmid, $authuser, $worker);
4722 }});
4723
4724 __PACKAGE__->register_method({
4725 name => 'monitor',
4726 path => '{vmid}/monitor',
4727 method => 'POST',
4728 protected => 1,
4729 proxyto => 'node',
4730 description => "Execute QEMU monitor commands.",
4731 permissions => {
4732 description => "Sys.Modify is required for (sub)commands which are not read-only ('info *' and 'help')",
4733 check => ['perm', '/vms/{vmid}', [ 'VM.Monitor' ]],
4734 },
4735 parameters => {
4736 additionalProperties => 0,
4737 properties => {
4738 node => get_standard_option('pve-node'),
4739 vmid => get_standard_option('pve-vmid'),
4740 command => {
4741 type => 'string',
4742 description => "The monitor command.",
4743 }
4744 },
4745 },
4746 returns => { type => 'string'},
4747 code => sub {
4748 my ($param) = @_;
4749
4750 my $rpcenv = PVE::RPCEnvironment::get();
4751 my $authuser = $rpcenv->get_user();
4752
4753 my $is_ro = sub {
4754 my $command = shift;
4755 return $command =~ m/^\s*info(\s+|$)/
4756 || $command =~ m/^\s*help\s*$/;
4757 };
4758
4759 $rpcenv->check_full($authuser, "/", ['Sys.Modify'])
4760 if !&$is_ro($param->{command});
4761
4762 my $vmid = $param->{vmid};
4763
4764 my $conf = PVE::QemuConfig->load_config ($vmid); # check if VM exists
4765
4766 my $res = '';
4767 eval {
4768 $res = PVE::QemuServer::Monitor::hmp_cmd($vmid, $param->{command});
4769 };
4770 $res = "ERROR: $@" if $@;
4771
4772 return $res;
4773 }});
4774
4775 __PACKAGE__->register_method({
4776 name => 'resize_vm',
4777 path => '{vmid}/resize',
4778 method => 'PUT',
4779 protected => 1,
4780 proxyto => 'node',
4781 description => "Extend volume size.",
4782 permissions => {
4783 check => ['perm', '/vms/{vmid}', [ 'VM.Config.Disk' ]],
4784 },
4785 parameters => {
4786 additionalProperties => 0,
4787 properties => {
4788 node => get_standard_option('pve-node'),
4789 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
4790 skiplock => get_standard_option('skiplock'),
4791 disk => {
4792 type => 'string',
4793 description => "The disk you want to resize.",
4794 enum => [PVE::QemuServer::Drive::valid_drive_names()],
4795 },
4796 size => {
4797 type => 'string',
4798 pattern => '\+?\d+(\.\d+)?[KMGT]?',
4799 description => "The new size. With the `+` sign the value is added to the actual size of the volume and without it, the value is taken as an absolute one. Shrinking disk size is not supported.",
4800 },
4801 digest => {
4802 type => 'string',
4803 description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.',
4804 maxLength => 40,
4805 optional => 1,
4806 },
4807 },
4808 },
4809 returns => {
4810 type => 'string',
4811 description => "the task ID.",
4812 },
4813 code => sub {
4814 my ($param) = @_;
4815
4816 my $rpcenv = PVE::RPCEnvironment::get();
4817
4818 my $authuser = $rpcenv->get_user();
4819
4820 my $node = extract_param($param, 'node');
4821
4822 my $vmid = extract_param($param, 'vmid');
4823
4824 my $digest = extract_param($param, 'digest');
4825
4826 my $disk = extract_param($param, 'disk');
4827
4828 my $sizestr = extract_param($param, 'size');
4829
4830 my $skiplock = extract_param($param, 'skiplock');
4831 raise_param_exc({ skiplock => "Only root may use this option." })
4832 if $skiplock && $authuser ne 'root@pam';
4833
4834 my $storecfg = PVE::Storage::config();
4835
4836 my $updatefn = sub {
4837
4838 my $conf = PVE::QemuConfig->load_config($vmid);
4839
4840 die "checksum missmatch (file change by other user?)\n"
4841 if $digest && $digest ne $conf->{digest};
4842 PVE::QemuConfig->check_lock($conf) if !$skiplock;
4843
4844 die "disk '$disk' does not exist\n" if !$conf->{$disk};
4845
4846 my $drive = PVE::QemuServer::parse_drive($disk, $conf->{$disk});
4847
4848 my (undef, undef, undef, undef, undef, undef, $format) =
4849 PVE::Storage::parse_volname($storecfg, $drive->{file});
4850
4851 my $volid = $drive->{file};
4852
4853 die "disk '$disk' has no associated volume\n" if !$volid;
4854
4855 die "you can't resize a cdrom\n" if PVE::QemuServer::drive_is_cdrom($drive);
4856
4857 my ($storeid, $volname) = PVE::Storage::parse_volume_id($volid);
4858
4859 $rpcenv->check($authuser, "/storage/$storeid", ['Datastore.AllocateSpace']);
4860
4861 PVE::Storage::activate_volumes($storecfg, [$volid]);
4862 my $size = PVE::Storage::volume_size_info($storecfg, $volid, 5);
4863
4864 die "Could not determine current size of volume '$volid'\n" if !defined($size);
4865
4866 die "internal error" if $sizestr !~ m/^(\+)?(\d+(\.\d+)?)([KMGT])?$/;
4867 my ($ext, $newsize, $unit) = ($1, $2, $4);
4868 if ($unit) {
4869 if ($unit eq 'K') {
4870 $newsize = $newsize * 1024;
4871 } elsif ($unit eq 'M') {
4872 $newsize = $newsize * 1024 * 1024;
4873 } elsif ($unit eq 'G') {
4874 $newsize = $newsize * 1024 * 1024 * 1024;
4875 } elsif ($unit eq 'T') {
4876 $newsize = $newsize * 1024 * 1024 * 1024 * 1024;
4877 }
4878 }
4879 $newsize += $size if $ext;
4880 $newsize = int($newsize);
4881
4882 die "shrinking disks is not supported\n" if $newsize < $size;
4883
4884 return if $size == $newsize;
4885
4886 PVE::Cluster::log_msg('info', $authuser, "update VM $vmid: resize --disk $disk --size $sizestr");
4887
4888 PVE::QemuServer::qemu_block_resize($vmid, "drive-$disk", $storecfg, $volid, $newsize);
4889
4890 $drive->{size} = $newsize;
4891 $conf->{$disk} = PVE::QemuServer::print_drive($drive);
4892
4893 PVE::QemuConfig->write_config($vmid, $conf);
4894 };
4895
4896 my $worker = sub {
4897 PVE::QemuConfig->lock_config($vmid, $updatefn);
4898 };
4899
4900 return $rpcenv->fork_worker('resize', $vmid, $authuser, $worker);
4901 }});
4902
4903 __PACKAGE__->register_method({
4904 name => 'snapshot_list',
4905 path => '{vmid}/snapshot',
4906 method => 'GET',
4907 description => "List all snapshots.",
4908 permissions => {
4909 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
4910 },
4911 proxyto => 'node',
4912 protected => 1, # qemu pid files are only readable by root
4913 parameters => {
4914 additionalProperties => 0,
4915 properties => {
4916 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
4917 node => get_standard_option('pve-node'),
4918 },
4919 },
4920 returns => {
4921 type => 'array',
4922 items => {
4923 type => "object",
4924 properties => {
4925 name => {
4926 description => "Snapshot identifier. Value 'current' identifies the current VM.",
4927 type => 'string',
4928 },
4929 vmstate => {
4930 description => "Snapshot includes RAM.",
4931 type => 'boolean',
4932 optional => 1,
4933 },
4934 description => {
4935 description => "Snapshot description.",
4936 type => 'string',
4937 },
4938 snaptime => {
4939 description => "Snapshot creation time",
4940 type => 'integer',
4941 renderer => 'timestamp',
4942 optional => 1,
4943 },
4944 parent => {
4945 description => "Parent snapshot identifier.",
4946 type => 'string',
4947 optional => 1,
4948 },
4949 },
4950 },
4951 links => [ { rel => 'child', href => "{name}" } ],
4952 },
4953 code => sub {
4954 my ($param) = @_;
4955
4956 my $vmid = $param->{vmid};
4957
4958 my $conf = PVE::QemuConfig->load_config($vmid);
4959 my $snaphash = $conf->{snapshots} || {};
4960
4961 my $res = [];
4962
4963 foreach my $name (keys %$snaphash) {
4964 my $d = $snaphash->{$name};
4965 my $item = {
4966 name => $name,
4967 snaptime => $d->{snaptime} || 0,
4968 vmstate => $d->{vmstate} ? 1 : 0,
4969 description => $d->{description} || '',
4970 };
4971 $item->{parent} = $d->{parent} if $d->{parent};
4972 $item->{snapstate} = $d->{snapstate} if $d->{snapstate};
4973 push @$res, $item;
4974 }
4975
4976 my $running = PVE::QemuServer::check_running($vmid, 1) ? 1 : 0;
4977 my $current = {
4978 name => 'current',
4979 digest => $conf->{digest},
4980 running => $running,
4981 description => "You are here!",
4982 };
4983 $current->{parent} = $conf->{parent} if $conf->{parent};
4984
4985 push @$res, $current;
4986
4987 return $res;
4988 }});
4989
4990 __PACKAGE__->register_method({
4991 name => 'snapshot',
4992 path => '{vmid}/snapshot',
4993 method => 'POST',
4994 protected => 1,
4995 proxyto => 'node',
4996 description => "Snapshot a VM.",
4997 permissions => {
4998 check => ['perm', '/vms/{vmid}', [ 'VM.Snapshot' ]],
4999 },
5000 parameters => {
5001 additionalProperties => 0,
5002 properties => {
5003 node => get_standard_option('pve-node'),
5004 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
5005 snapname => get_standard_option('pve-snapshot-name'),
5006 vmstate => {
5007 optional => 1,
5008 type => 'boolean',
5009 description => "Save the vmstate",
5010 },
5011 description => {
5012 optional => 1,
5013 type => 'string',
5014 description => "A textual description or comment.",
5015 },
5016 },
5017 },
5018 returns => {
5019 type => 'string',
5020 description => "the task ID.",
5021 },
5022 code => sub {
5023 my ($param) = @_;
5024
5025 my $rpcenv = PVE::RPCEnvironment::get();
5026
5027 my $authuser = $rpcenv->get_user();
5028
5029 my $node = extract_param($param, 'node');
5030
5031 my $vmid = extract_param($param, 'vmid');
5032
5033 my $snapname = extract_param($param, 'snapname');
5034
5035 die "unable to use snapshot name 'current' (reserved name)\n"
5036 if $snapname eq 'current';
5037
5038 die "unable to use snapshot name 'pending' (reserved name)\n"
5039 if lc($snapname) eq 'pending';
5040
5041 my $realcmd = sub {
5042 PVE::Cluster::log_msg('info', $authuser, "snapshot VM $vmid: $snapname");
5043 PVE::QemuConfig->snapshot_create($vmid, $snapname, $param->{vmstate},
5044 $param->{description});
5045 };
5046
5047 return $rpcenv->fork_worker('qmsnapshot', $vmid, $authuser, $realcmd);
5048 }});
5049
5050 __PACKAGE__->register_method({
5051 name => 'snapshot_cmd_idx',
5052 path => '{vmid}/snapshot/{snapname}',
5053 description => '',
5054 method => 'GET',
5055 permissions => {
5056 user => 'all',
5057 },
5058 parameters => {
5059 additionalProperties => 0,
5060 properties => {
5061 vmid => get_standard_option('pve-vmid'),
5062 node => get_standard_option('pve-node'),
5063 snapname => get_standard_option('pve-snapshot-name'),
5064 },
5065 },
5066 returns => {
5067 type => 'array',
5068 items => {
5069 type => "object",
5070 properties => {},
5071 },
5072 links => [ { rel => 'child', href => "{cmd}" } ],
5073 },
5074 code => sub {
5075 my ($param) = @_;
5076
5077 my $res = [];
5078
5079 push @$res, { cmd => 'rollback' };
5080 push @$res, { cmd => 'config' };
5081
5082 return $res;
5083 }});
5084
5085 __PACKAGE__->register_method({
5086 name => 'update_snapshot_config',
5087 path => '{vmid}/snapshot/{snapname}/config',
5088 method => 'PUT',
5089 protected => 1,
5090 proxyto => 'node',
5091 description => "Update snapshot metadata.",
5092 permissions => {
5093 check => ['perm', '/vms/{vmid}', [ 'VM.Snapshot' ]],
5094 },
5095 parameters => {
5096 additionalProperties => 0,
5097 properties => {
5098 node => get_standard_option('pve-node'),
5099 vmid => get_standard_option('pve-vmid'),
5100 snapname => get_standard_option('pve-snapshot-name'),
5101 description => {
5102 optional => 1,
5103 type => 'string',
5104 description => "A textual description or comment.",
5105 },
5106 },
5107 },
5108 returns => { type => 'null' },
5109 code => sub {
5110 my ($param) = @_;
5111
5112 my $rpcenv = PVE::RPCEnvironment::get();
5113
5114 my $authuser = $rpcenv->get_user();
5115
5116 my $vmid = extract_param($param, 'vmid');
5117
5118 my $snapname = extract_param($param, 'snapname');
5119
5120 return if !defined($param->{description});
5121
5122 my $updatefn = sub {
5123
5124 my $conf = PVE::QemuConfig->load_config($vmid);
5125
5126 PVE::QemuConfig->check_lock($conf);
5127
5128 my $snap = $conf->{snapshots}->{$snapname};
5129
5130 die "snapshot '$snapname' does not exist\n" if !defined($snap);
5131
5132 $snap->{description} = $param->{description} if defined($param->{description});
5133
5134 PVE::QemuConfig->write_config($vmid, $conf);
5135 };
5136
5137 PVE::QemuConfig->lock_config($vmid, $updatefn);
5138
5139 return;
5140 }});
5141
5142 __PACKAGE__->register_method({
5143 name => 'get_snapshot_config',
5144 path => '{vmid}/snapshot/{snapname}/config',
5145 method => 'GET',
5146 proxyto => 'node',
5147 description => "Get snapshot configuration",
5148 permissions => {
5149 check => ['perm', '/vms/{vmid}', [ 'VM.Snapshot', 'VM.Snapshot.Rollback', 'VM.Audit' ], any => 1],
5150 },
5151 parameters => {
5152 additionalProperties => 0,
5153 properties => {
5154 node => get_standard_option('pve-node'),
5155 vmid => get_standard_option('pve-vmid'),
5156 snapname => get_standard_option('pve-snapshot-name'),
5157 },
5158 },
5159 returns => { type => "object" },
5160 code => sub {
5161 my ($param) = @_;
5162
5163 my $rpcenv = PVE::RPCEnvironment::get();
5164
5165 my $authuser = $rpcenv->get_user();
5166
5167 my $vmid = extract_param($param, 'vmid');
5168
5169 my $snapname = extract_param($param, 'snapname');
5170
5171 my $conf = PVE::QemuConfig->load_config($vmid);
5172
5173 my $snap = $conf->{snapshots}->{$snapname};
5174
5175 die "snapshot '$snapname' does not exist\n" if !defined($snap);
5176
5177 return $snap;
5178 }});
5179
5180 __PACKAGE__->register_method({
5181 name => 'rollback',
5182 path => '{vmid}/snapshot/{snapname}/rollback',
5183 method => 'POST',
5184 protected => 1,
5185 proxyto => 'node',
5186 description => "Rollback VM state to specified snapshot.",
5187 permissions => {
5188 check => ['perm', '/vms/{vmid}', [ 'VM.Snapshot', 'VM.Snapshot.Rollback' ], any => 1],
5189 },
5190 parameters => {
5191 additionalProperties => 0,
5192 properties => {
5193 node => get_standard_option('pve-node'),
5194 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
5195 snapname => get_standard_option('pve-snapshot-name'),
5196 start => {
5197 type => 'boolean',
5198 description => "Whether the VM should get started after rolling back successfully."
5199 . " (Note: VMs will be automatically started if the snapshot includes RAM.)",
5200 optional => 1,
5201 default => 0,
5202 },
5203 },
5204 },
5205 returns => {
5206 type => 'string',
5207 description => "the task ID.",
5208 },
5209 code => sub {
5210 my ($param) = @_;
5211
5212 my $rpcenv = PVE::RPCEnvironment::get();
5213
5214 my $authuser = $rpcenv->get_user();
5215
5216 my $node = extract_param($param, 'node');
5217
5218 my $vmid = extract_param($param, 'vmid');
5219
5220 my $snapname = extract_param($param, 'snapname');
5221
5222 my $realcmd = sub {
5223 PVE::Cluster::log_msg('info', $authuser, "rollback snapshot VM $vmid: $snapname");
5224 PVE::QemuConfig->snapshot_rollback($vmid, $snapname);
5225
5226 if ($param->{start} && !PVE::QemuServer::Helpers::vm_running_locally($vmid)) {
5227 PVE::API2::Qemu->vm_start({ vmid => $vmid, node => $node });
5228 }
5229 };
5230
5231 my $worker = sub {
5232 # hold migration lock, this makes sure that nobody create replication snapshots
5233 return PVE::GuestHelpers::guest_migration_lock($vmid, 10, $realcmd);
5234 };
5235
5236 return $rpcenv->fork_worker('qmrollback', $vmid, $authuser, $worker);
5237 }});
5238
5239 __PACKAGE__->register_method({
5240 name => 'delsnapshot',
5241 path => '{vmid}/snapshot/{snapname}',
5242 method => 'DELETE',
5243 protected => 1,
5244 proxyto => 'node',
5245 description => "Delete a VM snapshot.",
5246 permissions => {
5247 check => ['perm', '/vms/{vmid}', [ 'VM.Snapshot' ]],
5248 },
5249 parameters => {
5250 additionalProperties => 0,
5251 properties => {
5252 node => get_standard_option('pve-node'),
5253 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
5254 snapname => get_standard_option('pve-snapshot-name'),
5255 force => {
5256 optional => 1,
5257 type => 'boolean',
5258 description => "For removal from config file, even if removing disk snapshots fails.",
5259 },
5260 },
5261 },
5262 returns => {
5263 type => 'string',
5264 description => "the task ID.",
5265 },
5266 code => sub {
5267 my ($param) = @_;
5268
5269 my $rpcenv = PVE::RPCEnvironment::get();
5270
5271 my $authuser = $rpcenv->get_user();
5272
5273 my $node = extract_param($param, 'node');
5274
5275 my $vmid = extract_param($param, 'vmid');
5276
5277 my $snapname = extract_param($param, 'snapname');
5278
5279 my $lock_obtained;
5280 my $do_delete = sub {
5281 $lock_obtained = 1;
5282 PVE::Cluster::log_msg('info', $authuser, "delete snapshot VM $vmid: $snapname");
5283 PVE::QemuConfig->snapshot_delete($vmid, $snapname, $param->{force});
5284 };
5285
5286 my $realcmd = sub {
5287 if ($param->{force}) {
5288 $do_delete->();
5289 } else {
5290 eval { PVE::GuestHelpers::guest_migration_lock($vmid, 10, $do_delete); };
5291 if (my $err = $@) {
5292 die $err if $lock_obtained;
5293 die "Failed to obtain guest migration lock - replication running?\n";
5294 }
5295 }
5296 };
5297
5298 return $rpcenv->fork_worker('qmdelsnapshot', $vmid, $authuser, $realcmd);
5299 }});
5300
5301 __PACKAGE__->register_method({
5302 name => 'template',
5303 path => '{vmid}/template',
5304 method => 'POST',
5305 protected => 1,
5306 proxyto => 'node',
5307 description => "Create a Template.",
5308 permissions => {
5309 description => "You need 'VM.Allocate' permissions on /vms/{vmid}",
5310 check => [ 'perm', '/vms/{vmid}', ['VM.Allocate']],
5311 },
5312 parameters => {
5313 additionalProperties => 0,
5314 properties => {
5315 node => get_standard_option('pve-node'),
5316 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid_stopped }),
5317 disk => {
5318 optional => 1,
5319 type => 'string',
5320 description => "If you want to convert only 1 disk to base image.",
5321 enum => [PVE::QemuServer::Drive::valid_drive_names()],
5322 },
5323
5324 },
5325 },
5326 returns => {
5327 type => 'string',
5328 description => "the task ID.",
5329 },
5330 code => sub {
5331 my ($param) = @_;
5332
5333 my $rpcenv = PVE::RPCEnvironment::get();
5334
5335 my $authuser = $rpcenv->get_user();
5336
5337 my $node = extract_param($param, 'node');
5338
5339 my $vmid = extract_param($param, 'vmid');
5340
5341 my $disk = extract_param($param, 'disk');
5342
5343 my $load_and_check = sub {
5344 my $conf = PVE::QemuConfig->load_config($vmid);
5345
5346 PVE::QemuConfig->check_lock($conf);
5347
5348 die "unable to create template, because VM contains snapshots\n"
5349 if $conf->{snapshots} && scalar(keys %{$conf->{snapshots}});
5350
5351 die "you can't convert a template to a template\n"
5352 if PVE::QemuConfig->is_template($conf) && !$disk;
5353
5354 die "you can't convert a VM to template if VM is running\n"
5355 if PVE::QemuServer::check_running($vmid);
5356
5357 return $conf;
5358 };
5359
5360 $load_and_check->();
5361
5362 my $realcmd = sub {
5363 PVE::QemuConfig->lock_config($vmid, sub {
5364 my $conf = $load_and_check->();
5365
5366 $conf->{template} = 1;
5367 PVE::QemuConfig->write_config($vmid, $conf);
5368
5369 PVE::QemuServer::template_create($vmid, $conf, $disk);
5370 });
5371 };
5372
5373 return $rpcenv->fork_worker('qmtemplate', $vmid, $authuser, $realcmd);
5374 }});
5375
5376 __PACKAGE__->register_method({
5377 name => 'cloudinit_generated_config_dump',
5378 path => '{vmid}/cloudinit/dump',
5379 method => 'GET',
5380 proxyto => 'node',
5381 description => "Get automatically generated cloudinit config.",
5382 permissions => {
5383 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
5384 },
5385 parameters => {
5386 additionalProperties => 0,
5387 properties => {
5388 node => get_standard_option('pve-node'),
5389 vmid => get_standard_option('pve-vmid', { completion => \&PVE::QemuServer::complete_vmid }),
5390 type => {
5391 description => 'Config type.',
5392 type => 'string',
5393 enum => ['user', 'network', 'meta'],
5394 },
5395 },
5396 },
5397 returns => {
5398 type => 'string',
5399 },
5400 code => sub {
5401 my ($param) = @_;
5402
5403 my $conf = PVE::QemuConfig->load_config($param->{vmid});
5404
5405 return PVE::QemuServer::Cloudinit::dump_cloudinit_config($conf, $param->{vmid}, $param->{type});
5406 }});
5407
5408 __PACKAGE__->register_method({
5409 name => 'mtunnel',
5410 path => '{vmid}/mtunnel',
5411 method => 'POST',
5412 protected => 1,
5413 description => 'Migration tunnel endpoint - only for internal use by VM migration.',
5414 permissions => {
5415 check =>
5416 [ 'and',
5417 ['perm', '/vms/{vmid}', [ 'VM.Allocate' ]],
5418 ['perm', '/', [ 'Sys.Incoming' ]],
5419 ],
5420 description => "You need 'VM.Allocate' permissions on '/vms/{vmid}' and Sys.Incoming" .
5421 " on '/'. Further permission checks happen during the actual migration.",
5422 },
5423 parameters => {
5424 additionalProperties => 0,
5425 properties => {
5426 node => get_standard_option('pve-node'),
5427 vmid => get_standard_option('pve-vmid'),
5428 storages => {
5429 type => 'string',
5430 format => 'pve-storage-id-list',
5431 optional => 1,
5432 description => 'List of storages to check permission and availability. Will be checked again for all actually used storages during migration.',
5433 },
5434 bridges => {
5435 type => 'string',
5436 format => 'pve-bridge-id-list',
5437 optional => 1,
5438 description => 'List of network bridges to check availability. Will be checked again for actually used bridges during migration.',
5439 },
5440 },
5441 },
5442 returns => {
5443 additionalProperties => 0,
5444 properties => {
5445 upid => { type => 'string' },
5446 ticket => { type => 'string' },
5447 socket => { type => 'string' },
5448 },
5449 },
5450 code => sub {
5451 my ($param) = @_;
5452
5453 my $rpcenv = PVE::RPCEnvironment::get();
5454 my $authuser = $rpcenv->get_user();
5455
5456 my $node = extract_param($param, 'node');
5457 my $vmid = extract_param($param, 'vmid');
5458
5459 my $storages = extract_param($param, 'storages');
5460 my $bridges = extract_param($param, 'bridges');
5461
5462 my $nodename = PVE::INotify::nodename();
5463
5464 raise_param_exc({ node => "node needs to be 'localhost' or local hostname '$nodename'" })
5465 if $node ne 'localhost' && $node ne $nodename;
5466
5467 $node = $nodename;
5468
5469 my $storecfg = PVE::Storage::config();
5470 foreach my $storeid (PVE::Tools::split_list($storages)) {
5471 $check_storage_access_migrate->($rpcenv, $authuser, $storecfg, $storeid, $node);
5472 }
5473
5474 foreach my $bridge (PVE::Tools::split_list($bridges)) {
5475 PVE::Network::read_bridge_mtu($bridge);
5476 }
5477
5478 PVE::Cluster::check_cfs_quorum();
5479
5480 my $lock = 'create';
5481 eval { PVE::QemuConfig->create_and_lock_config($vmid, 0, $lock); };
5482
5483 raise_param_exc({ vmid => "unable to create empty VM config - $@"})
5484 if $@;
5485
5486 my $realcmd = sub {
5487 my $state = {
5488 storecfg => PVE::Storage::config(),
5489 lock => $lock,
5490 vmid => $vmid,
5491 };
5492
5493 my $run_locked = sub {
5494 my ($code, $params) = @_;
5495 return PVE::QemuConfig->lock_config($state->{vmid}, sub {
5496 my $conf = PVE::QemuConfig->load_config($state->{vmid});
5497
5498 $state->{conf} = $conf;
5499
5500 die "Encountered wrong lock - aborting mtunnel command handling.\n"
5501 if $state->{lock} && !PVE::QemuConfig->has_lock($conf, $state->{lock});
5502
5503 return $code->($params);
5504 });
5505 };
5506
5507 my $cmd_desc = {
5508 config => {
5509 conf => {
5510 type => 'string',
5511 description => 'Full VM config, adapted for target cluster/node',
5512 },
5513 'firewall-config' => {
5514 type => 'string',
5515 description => 'VM firewall config',
5516 optional => 1,
5517 },
5518 },
5519 disk => {
5520 format => PVE::JSONSchema::get_standard_option('pve-qm-image-format'),
5521 storage => {
5522 type => 'string',
5523 format => 'pve-storage-id',
5524 },
5525 drive => {
5526 type => 'object',
5527 description => 'parsed drive information without volid and format',
5528 },
5529 },
5530 start => {
5531 start_params => {
5532 type => 'object',
5533 description => 'params passed to vm_start_nolock',
5534 },
5535 migrate_opts => {
5536 type => 'object',
5537 description => 'migrate_opts passed to vm_start_nolock',
5538 },
5539 },
5540 ticket => {
5541 path => {
5542 type => 'string',
5543 description => 'socket path for which the ticket should be valid. must be known to current mtunnel instance.',
5544 },
5545 },
5546 quit => {
5547 cleanup => {
5548 type => 'boolean',
5549 description => 'remove VM config and disks, aborting migration',
5550 default => 0,
5551 },
5552 },
5553 'disk-import' => $PVE::StorageTunnel::cmd_schema->{'disk-import'},
5554 'query-disk-import' => $PVE::StorageTunnel::cmd_schema->{'query-disk-import'},
5555 bwlimit => $PVE::StorageTunnel::cmd_schema->{bwlimit},
5556 };
5557
5558 my $cmd_handlers = {
5559 'version' => sub {
5560 # compared against other end's version
5561 # bump/reset for breaking changes
5562 # bump/bump for opt-in changes
5563 return {
5564 api => $PVE::QemuMigrate::WS_TUNNEL_VERSION,
5565 age => 0,
5566 };
5567 },
5568 'config' => sub {
5569 my ($params) = @_;
5570
5571 # parse and write out VM FW config if given
5572 if (my $fw_conf = $params->{'firewall-config'}) {
5573 my ($path, $fh) = PVE::Tools::tempfile_contents($fw_conf, 700);
5574
5575 my $empty_conf = {
5576 rules => [],
5577 options => {},
5578 aliases => {},
5579 ipset => {} ,
5580 ipset_comments => {},
5581 };
5582 my $cluster_fw_conf = PVE::Firewall::load_clusterfw_conf();
5583
5584 # TODO: add flag for strict parsing?
5585 # TODO: add import sub that does all this given raw content?
5586 my $vmfw_conf = PVE::Firewall::generic_fw_config_parser($path, $cluster_fw_conf, $empty_conf, 'vm');
5587 $vmfw_conf->{vmid} = $state->{vmid};
5588 PVE::Firewall::save_vmfw_conf($state->{vmid}, $vmfw_conf);
5589
5590 $state->{cleanup}->{fw} = 1;
5591 }
5592
5593 my $conf_fn = "incoming/qemu-server/$state->{vmid}.conf";
5594 my $new_conf = PVE::QemuServer::parse_vm_config($conf_fn, $params->{conf}, 1);
5595 delete $new_conf->{lock};
5596 delete $new_conf->{digest};
5597
5598 # TODO handle properly?
5599 delete $new_conf->{snapshots};
5600 delete $new_conf->{parent};
5601 delete $new_conf->{pending};
5602
5603 # not handled by update_vm_api
5604 my $vmgenid = delete $new_conf->{vmgenid};
5605 my $meta = delete $new_conf->{meta};
5606 my $cloudinit = delete $new_conf->{cloudinit}; # this is informational only
5607 $new_conf->{skip_cloud_init} = 1; # re-use image from source side
5608
5609 $new_conf->{vmid} = $state->{vmid};
5610 $new_conf->{node} = $node;
5611
5612 PVE::QemuConfig->remove_lock($state->{vmid}, 'create');
5613
5614 eval {
5615 $update_vm_api->($new_conf, 1);
5616 };
5617 if (my $err = $@) {
5618 # revert to locked previous config
5619 my $conf = PVE::QemuConfig->load_config($state->{vmid});
5620 $conf->{lock} = 'create';
5621 PVE::QemuConfig->write_config($state->{vmid}, $conf);
5622
5623 die $err;
5624 }
5625
5626 my $conf = PVE::QemuConfig->load_config($state->{vmid});
5627 $conf->{lock} = 'migrate';
5628 $conf->{vmgenid} = $vmgenid if defined($vmgenid);
5629 $conf->{meta} = $meta if defined($meta);
5630 $conf->{cloudinit} = $cloudinit if defined($cloudinit);
5631 PVE::QemuConfig->write_config($state->{vmid}, $conf);
5632
5633 $state->{lock} = 'migrate';
5634
5635 return;
5636 },
5637 'bwlimit' => sub {
5638 my ($params) = @_;
5639 return PVE::StorageTunnel::handle_bwlimit($params);
5640 },
5641 'disk' => sub {
5642 my ($params) = @_;
5643
5644 my $format = $params->{format};
5645 my $storeid = $params->{storage};
5646 my $drive = $params->{drive};
5647
5648 $check_storage_access_migrate->($rpcenv, $authuser, $state->{storecfg}, $storeid, $node);
5649
5650 my $storagemap = {
5651 default => $storeid,
5652 };
5653
5654 my $source_volumes = {
5655 'disk' => [
5656 undef,
5657 $storeid,
5658 $drive,
5659 0,
5660 $format,
5661 ],
5662 };
5663
5664 my $res = PVE::QemuServer::vm_migrate_alloc_nbd_disks($state->{storecfg}, $state->{vmid}, $source_volumes, $storagemap);
5665 if (defined($res->{disk})) {
5666 $state->{cleanup}->{volumes}->{$res->{disk}->{volid}} = 1;
5667 return $res->{disk};
5668 } else {
5669 die "failed to allocate NBD disk..\n";
5670 }
5671 },
5672 'disk-import' => sub {
5673 my ($params) = @_;
5674
5675 $check_storage_access_migrate->(
5676 $rpcenv,
5677 $authuser,
5678 $state->{storecfg},
5679 $params->{storage},
5680 $node
5681 );
5682
5683 $params->{unix} = "/run/qemu-server/$state->{vmid}.storage";
5684
5685 return PVE::StorageTunnel::handle_disk_import($state, $params);
5686 },
5687 'query-disk-import' => sub {
5688 my ($params) = @_;
5689
5690 return PVE::StorageTunnel::handle_query_disk_import($state, $params);
5691 },
5692 'start' => sub {
5693 my ($params) = @_;
5694
5695 my $info = PVE::QemuServer::vm_start_nolock(
5696 $state->{storecfg},
5697 $state->{vmid},
5698 $state->{conf},
5699 $params->{start_params},
5700 $params->{migrate_opts},
5701 );
5702
5703
5704 if ($info->{migrate}->{proto} ne 'unix') {
5705 PVE::QemuServer::vm_stop(undef, $state->{vmid}, 1, 1);
5706 die "migration over non-UNIX sockets not possible\n";
5707 }
5708
5709 my $socket = $info->{migrate}->{addr};
5710 chown $state->{socket_uid}, -1, $socket;
5711 $state->{sockets}->{$socket} = 1;
5712
5713 my $unix_sockets = $info->{migrate}->{unix_sockets};
5714 foreach my $socket (@$unix_sockets) {
5715 chown $state->{socket_uid}, -1, $socket;
5716 $state->{sockets}->{$socket} = 1;
5717 }
5718 return $info;
5719 },
5720 'fstrim' => sub {
5721 if (PVE::QemuServer::qga_check_running($state->{vmid})) {
5722 eval { mon_cmd($state->{vmid}, "guest-fstrim") };
5723 warn "fstrim failed: $@\n" if $@;
5724 }
5725 return;
5726 },
5727 'stop' => sub {
5728 PVE::QemuServer::vm_stop(undef, $state->{vmid}, 1, 1);
5729 return;
5730 },
5731 'nbdstop' => sub {
5732 PVE::QemuServer::nbd_stop($state->{vmid});
5733 return;
5734 },
5735 'resume' => sub {
5736 if (PVE::QemuServer::Helpers::vm_running_locally($state->{vmid})) {
5737 PVE::QemuServer::vm_resume($state->{vmid}, 1, 1);
5738 } else {
5739 die "VM $state->{vmid} not running\n";
5740 }
5741 return;
5742 },
5743 'unlock' => sub {
5744 PVE::QemuConfig->remove_lock($state->{vmid}, $state->{lock});
5745 delete $state->{lock};
5746 return;
5747 },
5748 'ticket' => sub {
5749 my ($params) = @_;
5750
5751 my $path = $params->{path};
5752
5753 die "Not allowed to generate ticket for unknown socket '$path'\n"
5754 if !defined($state->{sockets}->{$path});
5755
5756 return { ticket => PVE::AccessControl::assemble_tunnel_ticket($authuser, "/socket/$path") };
5757 },
5758 'quit' => sub {
5759 my ($params) = @_;
5760
5761 if ($params->{cleanup}) {
5762 if ($state->{cleanup}->{fw}) {
5763 PVE::Firewall::remove_vmfw_conf($state->{vmid});
5764 }
5765
5766 for my $volid (keys $state->{cleanup}->{volumes}->%*) {
5767 print "freeing volume '$volid' as part of cleanup\n";
5768 eval { PVE::Storage::vdisk_free($state->{storecfg}, $volid) };
5769 warn $@ if $@;
5770 }
5771
5772 PVE::QemuServer::destroy_vm($state->{storecfg}, $state->{vmid}, 1);
5773 }
5774
5775 print "switching to exit-mode, waiting for client to disconnect\n";
5776 $state->{exit} = 1;
5777 return;
5778 },
5779 };
5780
5781 $run_locked->(sub {
5782 my $socket_addr = "/run/qemu-server/$state->{vmid}.mtunnel";
5783 unlink $socket_addr;
5784
5785 $state->{socket} = IO::Socket::UNIX->new(
5786 Type => SOCK_STREAM(),
5787 Local => $socket_addr,
5788 Listen => 1,
5789 );
5790
5791 $state->{socket_uid} = getpwnam('www-data')
5792 or die "Failed to resolve user 'www-data' to numeric UID\n";
5793 chown $state->{socket_uid}, -1, $socket_addr;
5794 });
5795
5796 print "mtunnel started\n";
5797
5798 my $conn = eval { PVE::Tools::run_with_timeout(300, sub { $state->{socket}->accept() }) };
5799 if ($@) {
5800 warn "Failed to accept tunnel connection - $@\n";
5801
5802 warn "Removing tunnel socket..\n";
5803 unlink $state->{socket};
5804
5805 warn "Removing temporary VM config..\n";
5806 $run_locked->(sub {
5807 PVE::QemuServer::destroy_vm($state->{storecfg}, $state->{vmid}, 1);
5808 });
5809
5810 die "Exiting mtunnel\n";
5811 }
5812
5813 $state->{conn} = $conn;
5814
5815 my $reply_err = sub {
5816 my ($msg) = @_;
5817
5818 my $reply = JSON::encode_json({
5819 success => JSON::false,
5820 msg => $msg,
5821 });
5822 $conn->print("$reply\n");
5823 $conn->flush();
5824 };
5825
5826 my $reply_ok = sub {
5827 my ($res) = @_;
5828
5829 $res->{success} = JSON::true;
5830 my $reply = JSON::encode_json($res);
5831 $conn->print("$reply\n");
5832 $conn->flush();
5833 };
5834
5835 while (my $line = <$conn>) {
5836 chomp $line;
5837
5838 # untaint, we validate below if needed
5839 ($line) = $line =~ /^(.*)$/;
5840 my $parsed = eval { JSON::decode_json($line) };
5841 if ($@) {
5842 $reply_err->("failed to parse command - $@");
5843 next;
5844 }
5845
5846 my $cmd = delete $parsed->{cmd};
5847 if (!defined($cmd)) {
5848 $reply_err->("'cmd' missing");
5849 } elsif ($state->{exit}) {
5850 $reply_err->("tunnel is in exit-mode, processing '$cmd' cmd not possible");
5851 next;
5852 } elsif (my $handler = $cmd_handlers->{$cmd}) {
5853 print "received command '$cmd'\n";
5854 eval {
5855 if ($cmd_desc->{$cmd}) {
5856 PVE::JSONSchema::validate($parsed, $cmd_desc->{$cmd});
5857 } else {
5858 $parsed = {};
5859 }
5860 my $res = $run_locked->($handler, $parsed);
5861 $reply_ok->($res);
5862 };
5863 $reply_err->("failed to handle '$cmd' command - $@")
5864 if $@;
5865 } else {
5866 $reply_err->("unknown command '$cmd' given");
5867 }
5868 }
5869
5870 if ($state->{exit}) {
5871 print "mtunnel exited\n";
5872 } else {
5873 die "mtunnel exited unexpectedly\n";
5874 }
5875 };
5876
5877 my $socket_addr = "/run/qemu-server/$vmid.mtunnel";
5878 my $ticket = PVE::AccessControl::assemble_tunnel_ticket($authuser, "/socket/$socket_addr");
5879 my $upid = $rpcenv->fork_worker('qmtunnel', $vmid, $authuser, $realcmd);
5880
5881 return {
5882 ticket => $ticket,
5883 upid => $upid,
5884 socket => $socket_addr,
5885 };
5886 }});
5887
5888 __PACKAGE__->register_method({
5889 name => 'mtunnelwebsocket',
5890 path => '{vmid}/mtunnelwebsocket',
5891 method => 'GET',
5892 permissions => {
5893 description => "You need to pass a ticket valid for the selected socket. Tickets can be created via the mtunnel API call, which will check permissions accordingly.",
5894 user => 'all', # check inside
5895 },
5896 description => 'Migration tunnel endpoint for websocket upgrade - only for internal use by VM migration.',
5897 parameters => {
5898 additionalProperties => 0,
5899 properties => {
5900 node => get_standard_option('pve-node'),
5901 vmid => get_standard_option('pve-vmid'),
5902 socket => {
5903 type => "string",
5904 description => "unix socket to forward to",
5905 },
5906 ticket => {
5907 type => "string",
5908 description => "ticket return by initial 'mtunnel' API call, or retrieved via 'ticket' tunnel command",
5909 },
5910 },
5911 },
5912 returns => {
5913 type => "object",
5914 properties => {
5915 port => { type => 'string', optional => 1 },
5916 socket => { type => 'string', optional => 1 },
5917 },
5918 },
5919 code => sub {
5920 my ($param) = @_;
5921
5922 my $rpcenv = PVE::RPCEnvironment::get();
5923 my $authuser = $rpcenv->get_user();
5924
5925 my $nodename = PVE::INotify::nodename();
5926 my $node = extract_param($param, 'node');
5927
5928 raise_param_exc({ node => "node needs to be 'localhost' or local hostname '$nodename'" })
5929 if $node ne 'localhost' && $node ne $nodename;
5930
5931 my $vmid = $param->{vmid};
5932 # check VM exists
5933 PVE::QemuConfig->load_config($vmid);
5934
5935 my $socket = $param->{socket};
5936 PVE::AccessControl::verify_tunnel_ticket($param->{ticket}, $authuser, "/socket/$socket");
5937
5938 return { socket => $socket };
5939 }});
5940
5941 1;
Virtual Machine Manager